diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index f6cb6b1f13c..22867bc9ae8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -54,6 +54,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] - auditd module: Fix parsing of audit rules where arguments are quoted (like file paths containing spaces). {pull}32421[32421] - auditd module: Fix minimum AuditStatus length so that library can support kernels from 2.6.32. {pull}32421[32421] - system/socket: Reduce memory usage of the dataset. {issue}32191[32191] {pull}32192[32192] +- Fix rendering of MAC addresses to conform to ECS. {issue}32621[32621] {pull}32622[32622] *Filebeat* @@ -63,6 +64,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] - gcp-pubsub input: Restart Pub/Sub client on all errors. {issue}32550[32550] {pull}32712[32712] - Update `cloud.region` parsing in cloudtrail fileset. {pull}32763[32763] - Fix file.path field in cloudtrail fileset to use json.digestS3Object. {pull}32759[32759] +- Fix rendering of MAC addresses to conform to ECS. {issue}32621[32621] {pull}32622[32622] *Heartbeat* @@ -85,6 +87,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] *Packetbeat* - Fix formatting of debug logs. {pull}32698[32698] +- Fix rendering of MAC addresses to conform to ECS. {issue}32621[32621] {pull}32622[32622] *Winlogbeat* diff --git a/packetbeat/_meta/sample_outputs/flow.json b/packetbeat/_meta/sample_outputs/flow.json index 7fbcfaaa468..4ec6763063a 100644 --- a/packetbeat/_meta/sample_outputs/flow.json +++ b/packetbeat/_meta/sample_outputs/flow.json @@ -37,7 +37,7 @@ "start": "2018-11-30T01:15:50.119Z", "pid": 3468 }, - "mac": "08:00:27:d5:9d:5a", + "mac": "08-00-27-D5-9D-5A", "ip": "10.0.2.15", "port": 23377, "packets": 12 @@ -45,7 +45,7 @@ "destination": { "packets": 16, "bytes": 5558, - "mac": "52:54:00:12:35:02", + "mac": "52-54-00-12-35-02", "ip": "130.211.38.145", "port": 443 }, diff --git a/packetbeat/docs/packetbeat-options.asciidoc b/packetbeat/docs/packetbeat-options.asciidoc index 2ac1286b0dc..e12706a545f 100644 --- a/packetbeat/docs/packetbeat-options.asciidoc +++ b/packetbeat/docs/packetbeat-options.asciidoc @@ -340,7 +340,7 @@ Here’s an example of a flow information sent by Packetbeat. See "destination": { "bytes": 460, "ip": "198.51.100.2", - "mac": "06:05:04:03:02:01", + "mac": "06-05-04-03-02-01", "packets": 2, "port": 80 }, @@ -365,7 +365,7 @@ Here’s an example of a flow information sent by Packetbeat. See "source": { "bytes": 10, "ip": "203.0.113.3", - "mac": "01:02:03:04:05:06", + "mac": "01-02-03-04-05-06", "packets": 1, "port": 38901 } diff --git a/packetbeat/flows/flows_test.go b/packetbeat/flows/flows_test.go index fc81131d0d2..187dab3ac62 100644 --- a/packetbeat/flows/flows_test.go +++ b/packetbeat/flows/flows_test.go @@ -141,8 +141,8 @@ func TestFlowsCounting(t *testing.T) { network := event["network"].(mapstr.M) // validate generated event - assert.Equal(t, net.HardwareAddr(mac1).String(), source["mac"]) - assert.Equal(t, net.HardwareAddr(mac2).String(), dest["mac"]) + assert.Equal(t, formatHardwareAddr(net.HardwareAddr(mac1)), source["mac"]) + assert.Equal(t, formatHardwareAddr(net.HardwareAddr(mac2)), dest["mac"]) assert.Equal(t, net.IP(ip1).String(), source["ip"]) assert.Equal(t, net.IP(ip2).String(), dest["ip"]) assert.Equal(t, uint16(256), source["port"]) diff --git a/packetbeat/flows/worker.go b/packetbeat/flows/worker.go index fa55e2015df..0029e7acc16 100644 --- a/packetbeat/flows/worker.go +++ b/packetbeat/flows/worker.go @@ -323,8 +323,8 @@ func createEvent(watcher procs.ProcessesWatcher, ts time.Time, f *biFlow, isOver // add ethernet layer meta data if src, dst, ok := f.id.EthAddr(); ok { - source["mac"] = net.HardwareAddr(src).String() - dest["mac"] = net.HardwareAddr(dst).String() + source["mac"] = formatHardwareAddr(net.HardwareAddr(src)) + dest["mac"] = formatHardwareAddr(net.HardwareAddr(dst)) } // add vlan @@ -520,6 +520,19 @@ func createEvent(watcher procs.ProcessesWatcher, ts time.Time, f *biFlow, isOver } } +// formatHardwareAddr formats hardware addresses according to the ECS spec. +func formatHardwareAddr(addr net.HardwareAddr) string { + buf := make([]byte, 0, len(addr)*3-1) + for _, b := range addr { + if len(buf) != 0 { + buf = append(buf, '-') + } + const hexDigit = "0123456789ABCDEF" + buf = append(buf, hexDigit[b>>4], hexDigit[b&0xf]) + } + return string(buf) +} + func encodeStats(stats *flowStats, ints, uints, floats []string) map[string]interface{} { report := make(map[string]interface{}) diff --git a/packetbeat/flows/worker_test.go b/packetbeat/flows/worker_test.go index 0e1747d0a17..2b5b1261252 100644 --- a/packetbeat/flows/worker_test.go +++ b/packetbeat/flows/worker_test.go @@ -70,14 +70,14 @@ func TestCreateEvent(t *testing.T) { // Validate the contents of the event. validate := lookslike.MustCompile(map[string]interface{}{ "source": map[string]interface{}{ - "mac": "01:02:03:04:05:06", + "mac": "01-02-03-04-05-06", "ip": "203.0.113.3", "port": port1, "bytes": uint64(10), "packets": uint64(1), }, "destination": map[string]interface{}{ - "mac": "06:05:04:03:02:01", + "mac": "06-05-04-03-02-01", "ip": "198.51.100.2", "port": port2, "bytes": uint64(460), @@ -116,7 +116,7 @@ func TestCreateEvent(t *testing.T) { // Write the event to disk if -data is used. if *dataFlag { - _, _ = event.Fields.Put("@timestamp", common.Time(end)) + event.Fields.Put("@timestamp", common.Time(end)) //nolint:errcheck // Never fails. output, err := json.MarshalIndent(&event.Fields, "", " ") if err != nil { t.Fatal(err) diff --git a/packetbeat/protos/dhcpv4/dhcpv4.go b/packetbeat/protos/dhcpv4/dhcpv4.go index a719a1c8fa2..87756a2a6fe 100644 --- a/packetbeat/protos/dhcpv4/dhcpv4.go +++ b/packetbeat/protos/dhcpv4/dhcpv4.go @@ -15,10 +15,12 @@ // specific language governing permissions and limitations // under the License. +//nolint:errcheck // All complaints are about mapstr.M puts. package dhcpv4 import ( "fmt" + "net" "strings" "github.com/insomniacslk/dhcp/dhcpv4" @@ -126,6 +128,7 @@ func (p *dhcpv4Plugin) parseDHCPv4(pkt *protos.Packet) *beat.Event { fields["type"] = pbf.Event.Dataset fields["status"] = "OK" + mac16 := v4.ClientHwAddr() dhcpData := mapstr.M{ "op_code": strings.ToLower(v4.OpcodeToString()), "hardware_type": v4.HwTypeToString(), @@ -133,7 +136,7 @@ func (p *dhcpv4Plugin) parseDHCPv4(pkt *protos.Packet) *beat.Event { "transaction_id": fmt.Sprintf("0x%08x", v4.TransactionID()), "seconds": v4.NumSeconds(), "flags": strings.ToLower(v4.FlagsToString()), - "client_mac": v4.ClientHwAddrToString(), + "client_mac": formatHardwareAddr(net.HardwareAddr(mac16[:v4.HwAddrLen()])), } fields["dhcpv4"] = dhcpData @@ -160,8 +163,21 @@ func (p *dhcpv4Plugin) parseDHCPv4(pkt *protos.Packet) *beat.Event { p.log.Warnw("Failed converting DHCP options to map", "dhcpv4", v4, "error", err) } else if len(opts) > 0 { - dhcpData.Put("option", opts) + _, _ = dhcpData.Put("option", opts) } return &evt } + +// formatHardwareAddr formats hardware addresses according to the ECS spec. +func formatHardwareAddr(addr net.HardwareAddr) string { + buf := make([]byte, 0, len(addr)*3-1) + for _, b := range addr { + if len(buf) != 0 { + buf = append(buf, '-') + } + const hexDigit = "0123456789ABCDEF" + buf = append(buf, hexDigit[b>>4], hexDigit[b&0xf]) + } + return string(buf) +} diff --git a/packetbeat/protos/dhcpv4/dhcpv4_test.go b/packetbeat/protos/dhcpv4/dhcpv4_test.go index 19614ff469b..36f686ca81d 100644 --- a/packetbeat/protos/dhcpv4/dhcpv4_test.go +++ b/packetbeat/protos/dhcpv4/dhcpv4_test.go @@ -82,7 +82,7 @@ var ( ) func TestParseDHCPRequest(t *testing.T) { - logp.TestingSetup() + _ = logp.TestingSetup() p, err := newPlugin(true, nil, procs.ProcessesWatcher{}, nil) if err != nil { t.Fatal(err) @@ -137,7 +137,7 @@ func TestParseDHCPRequest(t *testing.T) { "ip": []string{"0.0.0.0", "255.255.255.255"}, }, "dhcpv4": mapstr.M{ - "client_mac": "00:0b:82:01:fc:42", + "client_mac": "00-0B-82-01-FC-42", "flags": "unicast", "hardware_type": "Ethernet", "hops": 0, @@ -161,7 +161,8 @@ func TestParseDHCPRequest(t *testing.T) { actual := p.parseDHCPv4(pkt) if assert.NotNil(t, actual) { - publish.MarshalPacketbeatFields(actual, nil, nil) + _, err := publish.MarshalPacketbeatFields(actual, nil, nil) + assert.NoError(t, err, "marshalling packet beat fields") t.Logf("DHCP event: %+v", actual) assertEqual(t, expected, *actual) } @@ -223,7 +224,7 @@ func TestParseDHCPACK(t *testing.T) { }, "dhcpv4": mapstr.M{ "assigned_ip": "192.168.0.10", - "client_mac": "00:0b:82:01:fc:42", + "client_mac": "00-0B-82-01-FC-42", "flags": "unicast", "hardware_type": "Ethernet", "hops": 0, @@ -244,7 +245,8 @@ func TestParseDHCPACK(t *testing.T) { actual := p.parseDHCPv4(pkt) if assert.NotNil(t, actual) { - publish.MarshalPacketbeatFields(actual, nil, nil) + _, err := publish.MarshalPacketbeatFields(actual, nil, nil) + assert.NoError(t, err, "marshalling packet beat fields") t.Logf("DHCP event: %+v", actual) assertEqual(t, expected, *actual) } diff --git a/packetbeat/tests/system/test_0060_flows.py b/packetbeat/tests/system/test_0060_flows.py index 91598ffbdc0..e1d262b439e 100644 --- a/packetbeat/tests/system/test_0060_flows.py +++ b/packetbeat/tests/system/test_0060_flows.py @@ -43,8 +43,8 @@ def test_mysql_flow(self): assert len(objs) == 1 check_fields(objs[0], { 'flow.final': True, - 'source.mac': '0a:00:27:00:00:00', - 'destination.mac': '08:00:27:76:d7:41', + 'source.mac': '0A-00-27-00-00-00', + 'destination.mac': '08-00-27-76-D7-41', 'destination.ip': '192.168.33.14', 'source.ip': '192.168.33.1', 'network.transport': 'tcp', @@ -78,8 +78,8 @@ def test_memcache_udp_flow(self): assert len(objs) == 1 check_fields(objs[0], { 'flow.final': True, - 'source.mac': 'ac:bc:32:77:41:0b', - 'destination.mac': '08:00:27:dd:3b:28', + 'source.mac': 'AC-BC-32-77-41-0B', + 'destination.mac': '08-00-27-DD-3B-28', 'source.ip': '192.168.188.37', 'destination.ip': '192.168.188.38', 'network.transport': 'udp', @@ -106,8 +106,8 @@ def test_icmp4_ping(self): assert len(objs) == 1 check_fields(objs[0], { 'flow.final': True, - 'source.mac': '00:00:00:00:00:01', - 'destination.mac': '00:00:00:00:00:02', + 'source.mac': '00-00-00-00-00-01', + 'destination.mac': '00-00-00-00-00-02', 'flow.vlan': 10, 'source.ip': '10.0.0.1', 'destination.ip': '10.0.0.2', @@ -135,11 +135,11 @@ def test_icmp6_ping(self): check_fields(objs[0], { 'flow.final': True, 'flow.vlan': 10, - 'source.mac': '00:00:00:00:00:01', + 'source.mac': '00-00-00-00-00-01', 'source.ip': '::1', 'source.bytes': 70, 'source.packets': 1, - 'destination.mac': '00:00:00:00:00:02', + 'destination.mac': '00-00-00-00-00-02', 'destination.ip': '::2', 'destination.bytes': 70, 'destination.packets': 1, @@ -168,8 +168,8 @@ def test_q_in_q_flow(self): 'source.ip': '192.168.1.1', 'source.bytes': 82, 'source.packets': 1, - 'source.mac': '08:00:27:3d:25:4e', - 'destination.mac': '1c:af:f7:70:ed:7c', + 'source.mac': '08-00-27-3D-25-4E', + 'destination.mac': '1C-AF-F7-70-ED-7C', 'destination.ip': '192.168.1.2', 'network.bytes': 82, 'network.packets': 1, diff --git a/packetbeat/tests/system/test_0066_dhcp.py b/packetbeat/tests/system/test_0066_dhcp.py index 2025df30278..ec1a14b592e 100644 --- a/packetbeat/tests/system/test_0066_dhcp.py +++ b/packetbeat/tests/system/test_0066_dhcp.py @@ -18,7 +18,7 @@ def test_dhcp(self): assert objs[0]["client.ip"] == "0.0.0.0" assert objs[0]["client.port"] == 68 assert objs[0]["destination.ip"] == "255.255.255.255" - assert objs[0]["dhcpv4.client_mac"] == "00:0b:82:01:fc:42" + assert objs[0]["dhcpv4.client_mac"] == "00-0B-82-01-FC-42" assert objs[0]["dhcpv4.flags"] == "unicast" assert objs[0]["dhcpv4.hardware_type"] == "Ethernet" assert objs[0]["dhcpv4.hops"] == 0 @@ -50,7 +50,7 @@ def test_dhcp(self): assert objs[1]["client.port"] == 68 assert objs[1]["destination.ip"] == "192.168.0.10" assert objs[1]["dhcpv4.assigned_ip"] == "192.168.0.10" - assert objs[1]["dhcpv4.client_mac"] == "00:0b:82:01:fc:42" + assert objs[1]["dhcpv4.client_mac"] == "00-0B-82-01-FC-42" assert objs[1]["dhcpv4.flags"] == "unicast" assert objs[1]["dhcpv4.hardware_type"] == "Ethernet" assert objs[1]["dhcpv4.hops"] == 0 @@ -79,7 +79,7 @@ def test_dhcp(self): assert "event.start" in objs[2] assert objs[2]["client.ip"] == "0.0.0.0" assert objs[2]["client.port"] == 68 - assert objs[2]["dhcpv4.client_mac"] == "00:0b:82:01:fc:42" + assert objs[2]["dhcpv4.client_mac"] == "00-0B-82-01-FC-42" assert objs[2]["dhcpv4.flags"] == "unicast" assert objs[2]["dhcpv4.hardware_type"] == "Ethernet" assert objs[2]["dhcpv4.hops"] == 0 @@ -111,7 +111,7 @@ def test_dhcp(self): assert objs[3]["client.port"] == 68 assert objs[3]["destination.ip"] == "192.168.0.10" assert objs[3]["dhcpv4.assigned_ip"] == "192.168.0.10" - assert objs[3]["dhcpv4.client_mac"] == "00:0b:82:01:fc:42" + assert objs[3]["dhcpv4.client_mac"] == "00-0B-82-01-FC-42" assert objs[3]["dhcpv4.flags"] == "unicast" assert objs[3]["dhcpv4.hardware_type"] == "Ethernet" assert objs[3]["dhcpv4.hops"] == 0 diff --git a/x-pack/auditbeat/module/system/host/_meta/data.json b/x-pack/auditbeat/module/system/host/_meta/data.json index a4494027c6b..a2b0bef9460 100644 --- a/x-pack/auditbeat/module/system/host/_meta/data.json +++ b/x-pack/auditbeat/module/system/host/_meta/data.json @@ -33,10 +33,10 @@ "fe80::42:9eff:fed3:d888" ], "mac": [ - "02:2d:fd:81:e7:47", - "08:00:27:1f:71:60", - "02:42:83:be:1a:3a", - "02:42:9e:d3:d8:88" + "02-2D-FD-81-E7-47", + "08-00-27-1F-71-60", + "02-42-83-BE-1A-3A", + "02-42-9E-D3-D8-88" ], "os": { "family": "debian", diff --git a/x-pack/auditbeat/module/system/host/host.go b/x-pack/auditbeat/module/system/host/host.go index c2a983ca3c9..37860fcc436 100644 --- a/x-pack/auditbeat/module/system/host/host.go +++ b/x-pack/auditbeat/module/system/host/host.go @@ -95,6 +95,7 @@ type Host struct { // changeDetectionHash creates a hash of selected parts of the host information. // This is used later to detect changes to a host over time. +//nolint:errcheck // All checks are for writes to a hasher. func (host *Host) changeDetectionHash() uint64 { h := xxhash.New() @@ -114,6 +115,7 @@ func (host *Host) changeDetectionHash() uint64 { return h.Sum64() } +//nolint:errcheck // All checks are for mapstr.Put. func (host *Host) toMapStr() mapstr.M { mapstr := mapstr.M{ // https://github.com/elastic/ecs#-host-fields @@ -155,9 +157,8 @@ func (host *Host) toMapStr() mapstr.M { var macStrings []string for _, mac := range host.Macs { - macStr := mac.String() - if macStr != "" { - macStrings = append(macStrings, macStr) + if len(mac) != 0 { + macStrings = append(macStrings, formatHardwareAddr(mac)) } } mapstr.Put("mac", macStrings) @@ -165,6 +166,19 @@ func (host *Host) toMapStr() mapstr.M { return mapstr } +// formatHardwareAddr formats hardware addresses according to the ECS spec. +func formatHardwareAddr(addr net.HardwareAddr) string { + buf := make([]byte, 0, len(addr)*3-1) + for _, b := range addr { + if len(buf) != 0 { + buf = append(buf, '-') + } + const hexDigit = "0123456789ABCDEF" + buf = append(buf, hexDigit[b>>4], hexDigit[b&0xf]) + } + return string(buf) +} + func init() { mb.Registry.MustAddMetricSet(moduleName, metricsetName, New, mb.DefaultMetricSet(), @@ -273,6 +287,7 @@ func (ms *MetricSet) reportChanges(report mb.ReporterV2) error { var events []mb.Event // Report ID changes as a separate, special event. + //nolint:errcheck // All checks are for mapstr.Put. if ms.lastHost.Info.UniqueID != currentHost.Info.UniqueID { /* Issue two events - one for the host with the old ID, one for the new @@ -309,7 +324,7 @@ func (ms *MetricSet) reportChanges(report mb.ReporterV2) error { } if len(events) > 0 { - ms.saveStateToDisk() + return ms.saveStateToDisk() } return nil @@ -336,6 +351,7 @@ func getHost() (*Host, error) { return host, nil } +//nolint:errcheck // All checks are for mapstr.CopyFieldsTo. func hostEvent(host *Host, eventType string, action eventAction) mb.Event { hostFields := host.toMapStr() @@ -460,9 +476,11 @@ func (ms *MetricSet) restoreStateFromDisk() error { if decoder != nil { var lastHost Host err = decoder.Decode(&lastHost) - if err == nil { + switch err { //nolint:errorlint // Bad linter! io.EOF is never wrapped. + case nil: ms.lastHost = &lastHost - } else if err != io.EOF { + case io.EOF: + default: return fmt.Errorf("error decoding host information: %w", err) } } diff --git a/x-pack/filebeat/input/netflow/convert.go b/x-pack/filebeat/input/netflow/convert.go index 7fcbdc84419..87bbf94788b 100644 --- a/x-pack/filebeat/input/netflow/convert.go +++ b/x-pack/filebeat/input/netflow/convert.go @@ -391,10 +391,27 @@ func getKeyIP(dict record.Map, key string) (value net.IP, found bool) { // because HardwareAddr doesn't implement Marshaler interface. func fixMacAddresses(dict map[string]interface{}) { for key, value := range dict { - if asMac, ok := value.(net.HardwareAddr); ok { - dict[key] = asMac.String() + if addr, ok := value.(net.HardwareAddr); ok { + if len(addr) == 0 { + delete(dict, key) + continue + } + dict[key] = formatHardwareAddr(addr) + } + } +} + +// formatHardwareAddr formats hardware addresses according to the ECS spec. +func formatHardwareAddr(addr net.HardwareAddr) string { + buf := make([]byte, 0, len(addr)*3-1) + for _, b := range addr { + if len(buf) != 0 { + buf = append(buf, '-') } + const hexDigit = "0123456789ABCDEF" + buf = append(buf, hexDigit[b>>4], hexDigit[b&0xf]) } + return string(buf) } // Locality is an enum representing the locality of a network address. diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json index b1dd7eb6c1d..3fa4549af7d 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json @@ -57,7 +57,7 @@ "reason_text": "Normal Operation", "service_name": "https", "source_ipv4_address": "10.236.5.4", - "source_mac_address": "00:50:56:b9:26:46", + "source_mac_address": "00-50-56-B9-26-46", "source_transport_port": 51917, "timestamp": 1524039407, "traffic_type": 0, @@ -84,7 +84,7 @@ "bytes": 0, "ip": "10.236.5.4", "locality": "internal", - "mac": "00:50:56:b9:26:46", + "mac": "00-50-56-B9-26-46", "packets": 0, "port": 51917 } @@ -148,7 +148,7 @@ "reason_text": "Normal Operation", "service_name": "https", "source_ipv4_address": "64.235.151.76", - "source_mac_address": "00:00:00:00:00:00", + "source_mac_address": "00-00-00-00-00-00", "source_transport_port": 443, "timestamp": 1524039407, "traffic_type": 0, @@ -175,7 +175,7 @@ "bytes": 0, "ip": "64.235.151.76", "locality": "external", - "mac": "00:00:00:00:00:00", + "mac": "00-00-00-00-00-00", "packets": 0, "port": 443 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json index 7d89a8dad1e..4eb6dfb9a27 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json @@ -47,7 +47,7 @@ "packet_total_count": 1, "protocol_identifier": 17, "source_ipv4_address": "10.99.130.239", - "source_mac_address": "00:00:00:00:00:00", + "source_mac_address": "00-00-00-00-00-00", "source_transport_port": 65105, "type": "netflow_flow" }, @@ -72,7 +72,7 @@ "bytes": 0, "ip": "10.99.130.239", "locality": "internal", - "mac": "00:00:00:00:00:00", + "mac": "00-00-00-00-00-00", "packets": 0, "port": 65105 } @@ -126,7 +126,7 @@ "packet_total_count": 1, "protocol_identifier": 17, "source_ipv4_address": "10.99.252.50", - "source_mac_address": "00:00:00:00:00:00", + "source_mac_address": "00-00-00-00-00-00", "source_transport_port": 53, "type": "netflow_flow" }, @@ -151,7 +151,7 @@ "bytes": 81, "ip": "10.99.252.50", "locality": "internal", - "mac": "00:00:00:00:00:00", + "mac": "00-00-00-00-00-00", "packets": 1, "port": 53 } @@ -205,7 +205,7 @@ "packet_total_count": 1, "protocol_identifier": 17, "source_ipv4_address": "10.99.130.239", - "source_mac_address": "00:00:00:00:00:00", + "source_mac_address": "00-00-00-00-00-00", "source_transport_port": 65105, "type": "netflow_flow" }, @@ -230,7 +230,7 @@ "bytes": 0, "ip": "10.99.130.239", "locality": "internal", - "mac": "00:00:00:00:00:00", + "mac": "00-00-00-00-00-00", "packets": 0, "port": 65105 } @@ -284,7 +284,7 @@ "packet_total_count": 1, "protocol_identifier": 17, "source_ipv4_address": "10.98.243.20", - "source_mac_address": "00:00:00:00:00:00", + "source_mac_address": "00-00-00-00-00-00", "source_transport_port": 53, "type": "netflow_flow" }, @@ -309,7 +309,7 @@ "bytes": 81, "ip": "10.98.243.20", "locality": "internal", - "mac": "00:00:00:00:00:00", + "mac": "00-00-00-00-00-00", "packets": 1, "port": 53 } @@ -363,7 +363,7 @@ "packet_total_count": 1, "protocol_identifier": 17, "source_ipv4_address": "10.99.168.140", - "source_mac_address": "00:00:00:00:00:00", + "source_mac_address": "00-00-00-00-00-00", "source_transport_port": 52344, "type": "netflow_flow" }, @@ -388,7 +388,7 @@ "bytes": 0, "ip": "10.99.168.140", "locality": "internal", - "mac": "00:00:00:00:00:00", + "mac": "00-00-00-00-00-00", "packets": 0, "port": 52344 } @@ -442,7 +442,7 @@ "packet_total_count": 1, "protocol_identifier": 17, "source_ipv4_address": "10.98.243.20", - "source_mac_address": "00:00:00:00:00:00", + "source_mac_address": "00-00-00-00-00-00", "source_transport_port": 53, "type": "netflow_flow" }, @@ -467,7 +467,7 @@ "bytes": 113, "ip": "10.98.243.20", "locality": "internal", - "mac": "00:00:00:00:00:00", + "mac": "00-00-00-00-00-00", "packets": 1, "port": 53 } @@ -521,7 +521,7 @@ "packet_total_count": 1, "protocol_identifier": 17, "source_ipv4_address": "10.99.168.140", - "source_mac_address": "00:00:00:00:00:00", + "source_mac_address": "00-00-00-00-00-00", "source_transport_port": 50294, "type": "netflow_flow" }, @@ -546,7 +546,7 @@ "bytes": 0, "ip": "10.99.168.140", "locality": "internal", - "mac": "00:00:00:00:00:00", + "mac": "00-00-00-00-00-00", "packets": 0, "port": 50294 } @@ -600,7 +600,7 @@ "packet_total_count": 1, "protocol_identifier": 17, "source_ipv4_address": "10.98.243.20", - "source_mac_address": "00:00:00:00:00:00", + "source_mac_address": "00-00-00-00-00-00", "source_transport_port": 53, "type": "netflow_flow" }, @@ -625,7 +625,7 @@ "bytes": 113, "ip": "10.98.243.20", "locality": "internal", - "mac": "00:00:00:00:00:00", + "mac": "00-00-00-00-00-00", "packets": 1, "port": 53 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-1941-K9-release-15.1.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-1941-K9-release-15.1.golden.json index d8520437747..cf60df28120 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-1941-K9-release-15.1.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-1941-K9-release-15.1.golden.json @@ -44,7 +44,7 @@ "packet_delta_count": 1, "protocol_identifier": 17, "source_ipv4_address": "192.168.0.111", - "source_mac_address": "ec:1f:72:11:9f:c1", + "source_mac_address": "EC-1F-72-11-9F-C1", "source_transport_port": 37301, "tcp_control_bits": 0, "type": "netflow_flow" @@ -70,7 +70,7 @@ "bytes": 75, "ip": "192.168.0.111", "locality": "internal", - "mac": "ec:1f:72:11:9f:c1", + "mac": "EC-1F-72-11-9F-C1", "packets": 1, "port": 37301 } @@ -121,7 +121,7 @@ "packet_delta_count": 1, "protocol_identifier": 17, "source_ipv4_address": "192.168.0.111", - "source_mac_address": "ec:1f:72:11:9f:c1", + "source_mac_address": "EC-1F-72-11-9F-C1", "source_transport_port": 58411, "tcp_control_bits": 0, "type": "netflow_flow" @@ -147,7 +147,7 @@ "bytes": 75, "ip": "192.168.0.111", "locality": "internal", - "mac": "ec:1f:72:11:9f:c1", + "mac": "EC-1F-72-11-9F-C1", "packets": 1, "port": 58411 } @@ -198,7 +198,7 @@ "packet_delta_count": 1, "protocol_identifier": 17, "source_ipv4_address": "192.168.0.111", - "source_mac_address": "ec:1f:72:11:9f:c1", + "source_mac_address": "EC-1F-72-11-9F-C1", "source_transport_port": 37661, "tcp_control_bits": 0, "type": "netflow_flow" @@ -224,7 +224,7 @@ "bytes": 75, "ip": "192.168.0.111", "locality": "internal", - "mac": "ec:1f:72:11:9f:c1", + "mac": "EC-1F-72-11-9F-C1", "packets": 1, "port": 37661 } @@ -275,7 +275,7 @@ "packet_delta_count": 1, "protocol_identifier": 17, "source_ipv4_address": "192.168.0.111", - "source_mac_address": "ec:1f:72:11:9f:c1", + "source_mac_address": "EC-1F-72-11-9F-C1", "source_transport_port": 60212, "tcp_control_bits": 0, "type": "netflow_flow" @@ -301,7 +301,7 @@ "bytes": 75, "ip": "192.168.0.111", "locality": "internal", - "mac": "ec:1f:72:11:9f:c1", + "mac": "EC-1F-72-11-9F-C1", "packets": 1, "port": 60212 } @@ -352,7 +352,7 @@ "packet_delta_count": 10, "protocol_identifier": 6, "source_ipv4_address": "158.85.58.115", - "source_mac_address": "00:23:04:18:ef:40", + "source_mac_address": "00-23-04-18-EF-40", "source_transport_port": 5222, "tcp_control_bits": 29, "type": "netflow_flow" @@ -378,7 +378,7 @@ "bytes": 964, "ip": "158.85.58.115", "locality": "external", - "mac": "00:23:04:18:ef:40", + "mac": "00-23-04-18-EF-40", "packets": 10, "port": 5222 } @@ -429,7 +429,7 @@ "packet_delta_count": 8, "protocol_identifier": 17, "source_ipv4_address": "192.168.0.88", - "source_mac_address": "a4:d1:8c:e9:30:2c", + "source_mac_address": "A4-D1-8C-E9-30-2C", "source_transport_port": 61490, "tcp_control_bits": 0, "type": "netflow_flow" @@ -455,7 +455,7 @@ "bytes": 2748, "ip": "192.168.0.88", "locality": "internal", - "mac": "a4:d1:8c:e9:30:2c", + "mac": "A4-D1-8C-E9-30-2C", "packets": 8, "port": 61490 } @@ -506,7 +506,7 @@ "packet_delta_count": 9, "protocol_identifier": 17, "source_ipv4_address": "216.58.212.195", - "source_mac_address": "00:23:04:18:ef:40", + "source_mac_address": "00-23-04-18-EF-40", "source_transport_port": 443, "tcp_control_bits": 0, "type": "netflow_flow" @@ -532,7 +532,7 @@ "bytes": 2023, "ip": "216.58.212.195", "locality": "external", - "mac": "00:23:04:18:ef:40", + "mac": "00-23-04-18-EF-40", "packets": 9, "port": 443 } @@ -583,7 +583,7 @@ "packet_delta_count": 9, "protocol_identifier": 6, "source_ipv4_address": "192.168.1.201", - "source_mac_address": "98:01:a7:9f:8d:5f", + "source_mac_address": "98-01-A7-9F-8D-5F", "source_transport_port": 50299, "tcp_control_bits": 24, "type": "netflow_flow" @@ -609,7 +609,7 @@ "bytes": 2180, "ip": "192.168.1.201", "locality": "internal", - "mac": "98:01:a7:9f:8d:5f", + "mac": "98-01-A7-9F-8D-5F", "packets": 9, "port": 50299 } @@ -660,7 +660,7 @@ "packet_delta_count": 9, "protocol_identifier": 6, "source_ipv4_address": "216.58.201.106", - "source_mac_address": "00:23:04:18:ef:40", + "source_mac_address": "00-23-04-18-EF-40", "source_transport_port": 443, "tcp_control_bits": 24, "type": "netflow_flow" @@ -686,7 +686,7 @@ "bytes": 700, "ip": "216.58.201.106", "locality": "external", - "mac": "00:23:04:18:ef:40", + "mac": "00-23-04-18-EF-40", "packets": 9, "port": 443 } @@ -737,7 +737,7 @@ "packet_delta_count": 2, "protocol_identifier": 6, "source_ipv4_address": "52.236.33.163", - "source_mac_address": "00:23:04:18:ef:40", + "source_mac_address": "00-23-04-18-EF-40", "source_transport_port": 443, "tcp_control_bits": 24, "type": "netflow_flow" @@ -763,7 +763,7 @@ "bytes": 161, "ip": "52.236.33.163", "locality": "external", - "mac": "00:23:04:18:ef:40", + "mac": "00-23-04-18-EF-40", "packets": 2, "port": 443 } @@ -814,7 +814,7 @@ "packet_delta_count": 21, "protocol_identifier": 6, "source_ipv4_address": "192.168.3.34", - "source_mac_address": "1c:5c:f2:07:0f:2a", + "source_mac_address": "1C-5C-F2-07-0F-2A", "source_transport_port": 61674, "tcp_control_bits": 27, "type": "netflow_flow" @@ -840,7 +840,7 @@ "bytes": 1764, "ip": "192.168.3.34", "locality": "internal", - "mac": "1c:5c:f2:07:0f:2a", + "mac": "1C-5C-F2-07-0F-2A", "packets": 21, "port": 61674 } @@ -891,7 +891,7 @@ "packet_delta_count": 30, "protocol_identifier": 6, "source_ipv4_address": "209.197.3.19", - "source_mac_address": "00:23:04:18:ef:40", + "source_mac_address": "00-23-04-18-EF-40", "source_transport_port": 443, "tcp_control_bits": 31, "type": "netflow_flow" @@ -917,7 +917,7 @@ "bytes": 13811, "ip": "209.197.3.19", "locality": "external", - "mac": "00:23:04:18:ef:40", + "mac": "00-23-04-18-EF-40", "packets": 30, "port": 443 } @@ -968,7 +968,7 @@ "packet_delta_count": 16, "protocol_identifier": 6, "source_ipv4_address": "52.216.130.237", - "source_mac_address": "00:23:04:18:ef:40", + "source_mac_address": "00-23-04-18-EF-40", "source_transport_port": 443, "tcp_control_bits": 27, "type": "netflow_flow" @@ -994,7 +994,7 @@ "bytes": 4717, "ip": "52.216.130.237", "locality": "external", - "mac": "00:23:04:18:ef:40", + "mac": "00-23-04-18-EF-40", "packets": 16, "port": 443 } @@ -1045,7 +1045,7 @@ "packet_delta_count": 13, "protocol_identifier": 6, "source_ipv4_address": "192.168.0.157", - "source_mac_address": "b0:34:95:0d:d2:5d", + "source_mac_address": "B0-34-95-0D-D2-5D", "source_transport_port": 51209, "tcp_control_bits": 26, "type": "netflow_flow" @@ -1071,7 +1071,7 @@ "bytes": 2419, "ip": "192.168.0.157", "locality": "internal", - "mac": "b0:34:95:0d:d2:5d", + "mac": "B0-34-95-0D-D2-5D", "packets": 13, "port": 51209 } @@ -1122,7 +1122,7 @@ "packet_delta_count": 10, "protocol_identifier": 6, "source_ipv4_address": "172.217.23.232", - "source_mac_address": "00:23:04:18:ef:40", + "source_mac_address": "00-23-04-18-EF-40", "source_transport_port": 443, "tcp_control_bits": 26, "type": "netflow_flow" @@ -1148,7 +1148,7 @@ "bytes": 5551, "ip": "172.217.23.232", "locality": "external", - "mac": "00:23:04:18:ef:40", + "mac": "00-23-04-18-EF-40", "packets": 10, "port": 443 } @@ -1199,7 +1199,7 @@ "packet_delta_count": 3, "protocol_identifier": 6, "source_ipv4_address": "107.21.232.174", - "source_mac_address": "00:23:04:18:ef:40", + "source_mac_address": "00-23-04-18-EF-40", "source_transport_port": 443, "tcp_control_bits": 25, "type": "netflow_flow" @@ -1225,7 +1225,7 @@ "bytes": 187, "ip": "107.21.232.174", "locality": "external", - "mac": "00:23:04:18:ef:40", + "mac": "00-23-04-18-EF-40", "packets": 3, "port": 443 } @@ -1276,7 +1276,7 @@ "packet_delta_count": 2, "protocol_identifier": 6, "source_ipv4_address": "192.168.3.178", - "source_mac_address": "dc:ef:ca:4c:da:57", + "source_mac_address": "DC-EF-CA-4C-DA-57", "source_transport_port": 45584, "tcp_control_bits": 17, "type": "netflow_flow" @@ -1302,7 +1302,7 @@ "bytes": 104, "ip": "192.168.3.178", "locality": "internal", - "mac": "dc:ef:ca:4c:da:57", + "mac": "DC-EF-CA-4C-DA-57", "packets": 2, "port": 45584 } @@ -1353,7 +1353,7 @@ "packet_delta_count": 72, "protocol_identifier": 6, "source_ipv4_address": "192.168.2.118", - "source_mac_address": "70:18:8b:5c:c9:b5", + "source_mac_address": "70-18-8B-5C-C9-B5", "source_transport_port": 64233, "tcp_control_bits": 27, "type": "netflow_flow" @@ -1379,7 +1379,7 @@ "bytes": 4050, "ip": "192.168.2.118", "locality": "internal", - "mac": "70:18:8b:5c:c9:b5", + "mac": "70-18-8B-5C-C9-B5", "packets": 72, "port": 64233 } @@ -1430,7 +1430,7 @@ "packet_delta_count": 72, "protocol_identifier": 6, "source_ipv4_address": "95.0.145.242", - "source_mac_address": "00:23:04:18:ef:40", + "source_mac_address": "00-23-04-18-EF-40", "source_transport_port": 2222, "tcp_control_bits": 27, "type": "netflow_flow" @@ -1456,7 +1456,7 @@ "bytes": 3719, "ip": "95.0.145.242", "locality": "external", - "mac": "00:23:04:18:ef:40", + "mac": "00-23-04-18-EF-40", "packets": 72, "port": 2222 } @@ -1507,7 +1507,7 @@ "packet_delta_count": 16, "protocol_identifier": 6, "source_ipv4_address": "192.168.0.79", - "source_mac_address": "8c:29:37:7a:28:c0", + "source_mac_address": "8C-29-37-7A-28-C0", "source_transport_port": 54275, "tcp_control_bits": 26, "type": "netflow_flow" @@ -1533,7 +1533,7 @@ "bytes": 1402, "ip": "192.168.0.79", "locality": "internal", - "mac": "8c:29:37:7a:28:c0", + "mac": "8C-29-37-7A-28-C0", "packets": 16, "port": 54275 } @@ -1584,7 +1584,7 @@ "packet_delta_count": 17, "protocol_identifier": 6, "source_ipv4_address": "192.168.0.79", - "source_mac_address": "8c:29:37:7a:28:c0", + "source_mac_address": "8C-29-37-7A-28-C0", "source_transport_port": 54276, "tcp_control_bits": 26, "type": "netflow_flow" @@ -1610,7 +1610,7 @@ "bytes": 1538, "ip": "192.168.0.79", "locality": "internal", - "mac": "8c:29:37:7a:28:c0", + "mac": "8C-29-37-7A-28-C0", "packets": 17, "port": 54276 } @@ -1661,7 +1661,7 @@ "packet_delta_count": 14, "protocol_identifier": 6, "source_ipv4_address": "23.5.100.66", - "source_mac_address": "00:23:04:18:ef:40", + "source_mac_address": "00-23-04-18-EF-40", "source_transport_port": 443, "tcp_control_bits": 26, "type": "netflow_flow" @@ -1687,7 +1687,7 @@ "bytes": 13002, "ip": "23.5.100.66", "locality": "external", - "mac": "00:23:04:18:ef:40", + "mac": "00-23-04-18-EF-40", "packets": 14, "port": 443 } @@ -1738,7 +1738,7 @@ "packet_delta_count": 4, "protocol_identifier": 6, "source_ipv4_address": "170.251.180.15", - "source_mac_address": "00:23:04:18:ef:40", + "source_mac_address": "00-23-04-18-EF-40", "source_transport_port": 443, "tcp_control_bits": 24, "type": "netflow_flow" @@ -1764,7 +1764,7 @@ "bytes": 1194, "ip": "170.251.180.15", "locality": "external", - "mac": "00:23:04:18:ef:40", + "mac": "00-23-04-18-EF-40", "packets": 4, "port": 443 } @@ -1815,7 +1815,7 @@ "packet_delta_count": 2, "protocol_identifier": 6, "source_ipv4_address": "192.168.0.61", - "source_mac_address": "90:61:ae:76:e5:e9", + "source_mac_address": "90-61-AE-76-E5-E9", "source_transport_port": 57007, "tcp_control_bits": 24, "type": "netflow_flow" @@ -1841,7 +1841,7 @@ "bytes": 682, "ip": "192.168.0.61", "locality": "internal", - "mac": "90:61:ae:76:e5:e9", + "mac": "90-61-AE-76-E5-E9", "packets": 2, "port": 57007 } @@ -1892,7 +1892,7 @@ "packet_delta_count": 11, "protocol_identifier": 6, "source_ipv4_address": "192.168.3.34", - "source_mac_address": "1c:5c:f2:07:0f:2a", + "source_mac_address": "1C-5C-F2-07-0F-2A", "source_transport_port": 61694, "tcp_control_bits": 26, "type": "netflow_flow" @@ -1918,7 +1918,7 @@ "bytes": 1804, "ip": "192.168.3.34", "locality": "internal", - "mac": "1c:5c:f2:07:0f:2a", + "mac": "1C-5C-F2-07-0F-2A", "packets": 11, "port": 61694 } @@ -1969,7 +1969,7 @@ "packet_delta_count": 9, "protocol_identifier": 6, "source_ipv4_address": "185.60.218.19", - "source_mac_address": "00:23:04:18:ef:40", + "source_mac_address": "00-23-04-18-EF-40", "source_transport_port": 443, "tcp_control_bits": 26, "type": "netflow_flow" @@ -1995,7 +1995,7 @@ "bytes": 4774, "ip": "185.60.218.19", "locality": "external", - "mac": "00:23:04:18:ef:40", + "mac": "00-23-04-18-EF-40", "packets": 9, "port": 443 } @@ -2046,7 +2046,7 @@ "packet_delta_count": 2, "protocol_identifier": 6, "source_ipv4_address": "192.168.3.200", - "source_mac_address": "18:20:32:bb:1d:62", + "source_mac_address": "18-20-32-BB-1D-62", "source_transport_port": 64493, "tcp_control_bits": 24, "type": "netflow_flow" @@ -2072,7 +2072,7 @@ "bytes": 135, "ip": "192.168.3.200", "locality": "internal", - "mac": "18:20:32:bb:1d:62", + "mac": "18-20-32-BB-1D-62", "packets": 2, "port": 64493 } @@ -2123,7 +2123,7 @@ "packet_delta_count": 2, "protocol_identifier": 6, "source_ipv4_address": "185.60.218.15", - "source_mac_address": "00:23:04:18:ef:40", + "source_mac_address": "00-23-04-18-EF-40", "source_transport_port": 443, "tcp_control_bits": 24, "type": "netflow_flow" @@ -2149,7 +2149,7 @@ "bytes": 135, "ip": "185.60.218.15", "locality": "external", - "mac": "00:23:04:18:ef:40", + "mac": "00-23-04-18-EF-40", "packets": 2, "port": 443 } @@ -2200,7 +2200,7 @@ "packet_delta_count": 3, "protocol_identifier": 6, "source_ipv4_address": "192.168.0.95", - "source_mac_address": "a0:39:f7:4d:49:d5", + "source_mac_address": "A0-39-F7-4D-49-D5", "source_transport_port": 35053, "tcp_control_bits": 24, "type": "netflow_flow" @@ -2226,7 +2226,7 @@ "bytes": 194, "ip": "192.168.0.95", "locality": "internal", - "mac": "a0:39:f7:4d:49:d5", + "mac": "A0-39-F7-4D-49-D5", "packets": 3, "port": 35053 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-NBAR-flowset-262.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-NBAR-flowset-262.golden.json index f81aba8d536..5dde94af053 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-NBAR-flowset-262.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-NBAR-flowset-262.golden.json @@ -8,7 +8,7 @@ "destination": { "ip": "10.30.19.180", "locality": "internal", - "mac": "1c:df:0f:7e:c3:58", + "mac": "1C-DF-0F-7E-C3-58", "port": 2048 }, "event": { @@ -33,7 +33,7 @@ "bgp_destination_as_number": 0, "bgp_source_as_number": 0, "destination_ipv4_address": "10.30.19.180", - "destination_mac_address": "1c:df:0f:7e:c3:58", + "destination_mac_address": "1C-DF-0F-7E-C3-58", "destination_transport_port": 2048, "egress_interface": 0, "exporter": { @@ -57,7 +57,7 @@ "source_ipv4_address": "10.30.18.62", "source_ipv4_prefix": "10.30.18.0", "source_ipv4_prefix_length": 23, - "source_mac_address": "00:50:56:91:56:86", + "source_mac_address": "00-50-56-91-56-86", "source_transport_port": 0, "tcp_source_port": 0, "type": "netflow_flow", @@ -84,7 +84,7 @@ "bytes": 44, "ip": "10.30.18.62", "locality": "internal", - "mac": "00:50:56:91:56:86", + "mac": "00-50-56-91-56-86", "packets": 1, "port": 0 } @@ -99,7 +99,7 @@ "destination": { "ip": "10.30.19.180", "locality": "internal", - "mac": "1c:df:0f:7e:c3:58", + "mac": "1C-DF-0F-7E-C3-58", "port": 161 }, "event": { @@ -124,7 +124,7 @@ "bgp_destination_as_number": 0, "bgp_source_as_number": 0, "destination_ipv4_address": "10.30.19.180", - "destination_mac_address": "1c:df:0f:7e:c3:58", + "destination_mac_address": "1C-DF-0F-7E-C3-58", "destination_transport_port": 161, "egress_interface": 0, "exporter": { @@ -148,7 +148,7 @@ "source_ipv4_address": "10.30.18.62", "source_ipv4_prefix": "10.30.18.0", "source_ipv4_prefix_length": 23, - "source_mac_address": "00:50:56:91:56:86", + "source_mac_address": "00-50-56-91-56-86", "source_transport_port": 34220, "tcp_source_port": 0, "type": "netflow_flow", @@ -175,7 +175,7 @@ "bytes": 106, "ip": "10.30.18.62", "locality": "internal", - "mac": "00:50:56:91:56:86", + "mac": "00-50-56-91-56-86", "packets": 1, "port": 34220 } @@ -190,7 +190,7 @@ "destination": { "ip": "10.30.19.180", "locality": "internal", - "mac": "1c:df:0f:7e:c3:58", + "mac": "1C-DF-0F-7E-C3-58", "port": 2048 }, "event": { @@ -215,7 +215,7 @@ "bgp_destination_as_number": 0, "bgp_source_as_number": 0, "destination_ipv4_address": "10.30.19.180", - "destination_mac_address": "1c:df:0f:7e:c3:58", + "destination_mac_address": "1C-DF-0F-7E-C3-58", "destination_transport_port": 2048, "egress_interface": 0, "exporter": { @@ -239,7 +239,7 @@ "source_ipv4_address": "10.10.172.60", "source_ipv4_prefix": "0.0.0.0", "source_ipv4_prefix_length": 0, - "source_mac_address": "00:18:19:9e:6c:01", + "source_mac_address": "00-18-19-9E-6C-01", "source_transport_port": 0, "tcp_source_port": 0, "type": "netflow_flow", @@ -266,7 +266,7 @@ "bytes": 44, "ip": "10.10.172.60", "locality": "internal", - "mac": "00:18:19:9e:6c:01", + "mac": "00-18-19-9E-6C-01", "packets": 1, "port": 0 } @@ -281,7 +281,7 @@ "destination": { "ip": "10.30.19.180", "locality": "internal", - "mac": "1c:df:0f:7e:c3:58", + "mac": "1C-DF-0F-7E-C3-58", "port": 123 }, "event": { @@ -306,7 +306,7 @@ "bgp_destination_as_number": 0, "bgp_source_as_number": 0, "destination_ipv4_address": "10.30.19.180", - "destination_mac_address": "1c:df:0f:7e:c3:58", + "destination_mac_address": "1C-DF-0F-7E-C3-58", "destination_transport_port": 123, "egress_interface": 0, "exporter": { @@ -330,7 +330,7 @@ "source_ipv4_address": "10.10.172.60", "source_ipv4_prefix": "0.0.0.0", "source_ipv4_prefix_length": 0, - "source_mac_address": "00:18:19:9e:6c:01", + "source_mac_address": "00-18-19-9E-6C-01", "source_transport_port": 123, "tcp_source_port": 0, "type": "netflow_flow", @@ -357,7 +357,7 @@ "bytes": 76, "ip": "10.10.172.60", "locality": "internal", - "mac": "00:18:19:9e:6c:01", + "mac": "00-18-19-9E-6C-01", "packets": 1, "port": 123 } @@ -372,7 +372,7 @@ "destination": { "ip": "10.30.19.180", "locality": "internal", - "mac": "1c:df:0f:7e:c3:58", + "mac": "1C-DF-0F-7E-C3-58", "port": 161 }, "event": { @@ -397,7 +397,7 @@ "bgp_destination_as_number": 0, "bgp_source_as_number": 0, "destination_ipv4_address": "10.30.19.180", - "destination_mac_address": "1c:df:0f:7e:c3:58", + "destination_mac_address": "1C-DF-0F-7E-C3-58", "destination_transport_port": 161, "egress_interface": 0, "exporter": { @@ -421,7 +421,7 @@ "source_ipv4_address": "10.10.172.60", "source_ipv4_prefix": "0.0.0.0", "source_ipv4_prefix_length": 0, - "source_mac_address": "00:18:19:9e:6c:01", + "source_mac_address": "00-18-19-9E-6C-01", "source_transport_port": 45269, "tcp_source_port": 0, "type": "netflow_flow", @@ -448,7 +448,7 @@ "bytes": 2794, "ip": "10.10.172.60", "locality": "internal", - "mac": "00:18:19:9e:6c:01", + "mac": "00-18-19-9E-6C-01", "packets": 36, "port": 45269 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-WLC.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-WLC.golden.json index 2f2c365c63f..7164eaed7b4 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-WLC.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-WLC.golden.json @@ -6,7 +6,7 @@ "Meta": null, "Fields": { "destination": { - "mac": "00:f6:63:cc:80:60" + "mac": "00-F6-63-CC-80-60" }, "event": { "action": "netflow_flow", @@ -37,10 +37,10 @@ "packet_delta_count": 83, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 3320, @@ -56,7 +56,7 @@ "bytes": 3320, "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51", + "mac": "34-02-86-75-C0-51", "packets": 83 } }, @@ -70,7 +70,7 @@ "destination": { "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51" + "mac": "34-02-86-75-C0-51" }, "event": { "action": "netflow_flow", @@ -101,10 +101,10 @@ "packet_delta_count": 83, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 3320, @@ -118,7 +118,7 @@ }, "source": { "bytes": 3320, - "mac": "00:f6:63:cc:80:60", + "mac": "00-F6-63-CC-80-60", "packets": 83 } }, @@ -130,7 +130,7 @@ "Meta": null, "Fields": { "destination": { - "mac": "00:f6:63:cc:80:60" + "mac": "00-F6-63-CC-80-60" }, "event": { "action": "netflow_flow", @@ -161,10 +161,10 @@ "packet_delta_count": 69, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 7760, @@ -180,7 +180,7 @@ "bytes": 7760, "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51", + "mac": "34-02-86-75-C0-51", "packets": 69 } }, @@ -194,7 +194,7 @@ "destination": { "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51" + "mac": "34-02-86-75-C0-51" }, "event": { "action": "netflow_flow", @@ -225,10 +225,10 @@ "packet_delta_count": 69, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 10229, @@ -242,7 +242,7 @@ }, "source": { "bytes": 10229, - "mac": "00:f6:63:cc:80:60", + "mac": "00-F6-63-CC-80-60", "packets": 69 } }, @@ -254,7 +254,7 @@ "Meta": null, "Fields": { "destination": { - "mac": "00:f6:63:cc:80:60" + "mac": "00-F6-63-CC-80-60" }, "event": { "action": "netflow_flow", @@ -285,10 +285,10 @@ "packet_delta_count": 1, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 215, @@ -304,7 +304,7 @@ "bytes": 215, "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51", + "mac": "34-02-86-75-C0-51", "packets": 1 } }, @@ -316,7 +316,7 @@ "Meta": null, "Fields": { "destination": { - "mac": "00:f6:63:cc:80:60" + "mac": "00-F6-63-CC-80-60" }, "event": { "action": "netflow_flow", @@ -347,10 +347,10 @@ "packet_delta_count": 225, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 40854, @@ -366,7 +366,7 @@ "bytes": 40854, "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51", + "mac": "34-02-86-75-C0-51", "packets": 225 } }, @@ -380,7 +380,7 @@ "destination": { "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51" + "mac": "34-02-86-75-C0-51" }, "event": { "action": "netflow_flow", @@ -411,10 +411,10 @@ "packet_delta_count": 154, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 35866, @@ -428,7 +428,7 @@ }, "source": { "bytes": 35866, - "mac": "00:f6:63:cc:80:60", + "mac": "00-F6-63-CC-80-60", "packets": 154 } }, @@ -440,7 +440,7 @@ "Meta": null, "Fields": { "destination": { - "mac": "00:f6:63:cc:80:60" + "mac": "00-F6-63-CC-80-60" }, "event": { "action": "netflow_flow", @@ -471,10 +471,10 @@ "packet_delta_count": 63, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 12279, @@ -490,7 +490,7 @@ "bytes": 12279, "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51", + "mac": "34-02-86-75-C0-51", "packets": 63 } }, @@ -504,7 +504,7 @@ "destination": { "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51" + "mac": "34-02-86-75-C0-51" }, "event": { "action": "netflow_flow", @@ -535,10 +535,10 @@ "packet_delta_count": 61, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 27287, @@ -552,7 +552,7 @@ }, "source": { "bytes": 27287, - "mac": "00:f6:63:cc:80:60", + "mac": "00-F6-63-CC-80-60", "packets": 61 } }, @@ -564,7 +564,7 @@ "Meta": null, "Fields": { "destination": { - "mac": "00:f6:63:cc:80:60" + "mac": "00-F6-63-CC-80-60" }, "event": { "action": "netflow_flow", @@ -595,10 +595,10 @@ "packet_delta_count": 773, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 147145, @@ -614,7 +614,7 @@ "bytes": 147145, "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51", + "mac": "34-02-86-75-C0-51", "packets": 773 } }, @@ -628,7 +628,7 @@ "destination": { "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51" + "mac": "34-02-86-75-C0-51" }, "event": { "action": "netflow_flow", @@ -659,10 +659,10 @@ "packet_delta_count": 1379, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 1182695, @@ -676,7 +676,7 @@ }, "source": { "bytes": 1182695, - "mac": "00:f6:63:cc:80:60", + "mac": "00-F6-63-CC-80-60", "packets": 1379 } }, @@ -688,7 +688,7 @@ "Meta": null, "Fields": { "destination": { - "mac": "00:f6:63:cc:80:60" + "mac": "00-F6-63-CC-80-60" }, "event": { "action": "netflow_flow", @@ -719,10 +719,10 @@ "packet_delta_count": 26, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 6777, @@ -738,7 +738,7 @@ "bytes": 6777, "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51", + "mac": "34-02-86-75-C0-51", "packets": 26 } }, @@ -752,7 +752,7 @@ "destination": { "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51" + "mac": "34-02-86-75-C0-51" }, "event": { "action": "netflow_flow", @@ -783,10 +783,10 @@ "packet_delta_count": 26, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 8625, @@ -800,7 +800,7 @@ }, "source": { "bytes": 8625, - "mac": "00:f6:63:cc:80:60", + "mac": "00-F6-63-CC-80-60", "packets": 26 } }, @@ -812,7 +812,7 @@ "Meta": null, "Fields": { "destination": { - "mac": "00:f6:63:cc:80:60" + "mac": "00-F6-63-CC-80-60" }, "event": { "action": "netflow_flow", @@ -843,10 +843,10 @@ "packet_delta_count": 20434, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 2433001, @@ -862,7 +862,7 @@ "bytes": 2433001, "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51", + "mac": "34-02-86-75-C0-51", "packets": 20434 } }, @@ -876,7 +876,7 @@ "destination": { "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51" + "mac": "34-02-86-75-C0-51" }, "event": { "action": "netflow_flow", @@ -907,10 +907,10 @@ "packet_delta_count": 40726, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 56599680, @@ -924,7 +924,7 @@ }, "source": { "bytes": 56599680, - "mac": "00:f6:63:cc:80:60", + "mac": "00-F6-63-CC-80-60", "packets": 40726 } }, @@ -936,7 +936,7 @@ "Meta": null, "Fields": { "destination": { - "mac": "00:f6:63:cc:80:60" + "mac": "00-F6-63-CC-80-60" }, "event": { "action": "netflow_flow", @@ -967,10 +967,10 @@ "packet_delta_count": 15, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 1658, @@ -986,7 +986,7 @@ "bytes": 1658, "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51", + "mac": "34-02-86-75-C0-51", "packets": 15 } }, @@ -1000,7 +1000,7 @@ "destination": { "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51" + "mac": "34-02-86-75-C0-51" }, "event": { "action": "netflow_flow", @@ -1031,10 +1031,10 @@ "packet_delta_count": 14, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 950, @@ -1048,7 +1048,7 @@ }, "source": { "bytes": 950, - "mac": "00:f6:63:cc:80:60", + "mac": "00-F6-63-CC-80-60", "packets": 14 } }, @@ -1060,7 +1060,7 @@ "Meta": null, "Fields": { "destination": { - "mac": "00:f6:63:cc:80:60" + "mac": "00-F6-63-CC-80-60" }, "event": { "action": "netflow_flow", @@ -1091,10 +1091,10 @@ "packet_delta_count": 16145, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 1495567, @@ -1110,7 +1110,7 @@ "bytes": 1495567, "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51", + "mac": "34-02-86-75-C0-51", "packets": 16145 } }, @@ -1124,7 +1124,7 @@ "destination": { "ip": "192.168.20.121", "locality": "internal", - "mac": "34:02:86:75:c0:51" + "mac": "34-02-86-75-C0-51" }, "event": { "action": "netflow_flow", @@ -1155,10 +1155,10 @@ "packet_delta_count": 53362, "post_ip_diff_serv_code_point": 0, "sta_ipv4_address": "192.168.20.121", - "sta_mac_address": "34:02:86:75:c0:51", + "sta_mac_address": "34-02-86-75-C0-51", "type": "netflow_flow", "wlan_ssid": "Test-env", - "wtp_mac_address": "00:f6:63:cc:80:60" + "wtp_mac_address": "00-F6-63-CC-80-60" }, "network": { "bytes": 80973880, @@ -1172,7 +1172,7 @@ }, "source": { "bytes": 80973880, - "mac": "00:f6:63:cc:80:60", + "mac": "00-F6-63-CC-80-60", "packets": 53362 } }, diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Ubiquiti-Edgerouter-with-MPLS-labels.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Ubiquiti-Edgerouter-with-MPLS-labels.golden.json index 4d2f36f4564..49083084ca1 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Ubiquiti-Edgerouter-with-MPLS-labels.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Ubiquiti-Edgerouter-with-MPLS-labels.golden.json @@ -8,7 +8,7 @@ "destination": { "ip": "10.4.0.251", "locality": "internal", - "mac": "44:d9:e7:be:ef:89", + "mac": "44-D9-E7-BE-EF-89", "port": 17232 }, "event": { @@ -31,7 +31,7 @@ "netflow": { "delta_flow_count": 0, "destination_ipv4_address": "10.4.0.251", - "destination_mac_address": "44:d9:e7:be:ef:89", + "destination_mac_address": "44-D9-E7-BE-EF-89", "destination_transport_port": 17232, "egress_interface": 0, "exporter": { @@ -52,7 +52,7 @@ "packet_delta_count": 2, "protocol_identifier": 17, "source_ipv4_address": "10.1.0.135", - "source_mac_address": "06:be:ef:be:ef:4f", + "source_mac_address": "06-BE-EF-BE-EF-4F", "source_transport_port": 53, "tcp_control_bits": 0, "type": "netflow_flow", @@ -79,7 +79,7 @@ "bytes": 174, "ip": "10.1.0.135", "locality": "internal", - "mac": "06:be:ef:be:ef:4f", + "mac": "06-BE-EF-BE-EF-4F", "packets": 2, "port": 53 } @@ -94,7 +94,7 @@ "destination": { "ip": "10.4.0.251", "locality": "internal", - "mac": "44:d9:e7:be:ef:89", + "mac": "44-D9-E7-BE-EF-89", "port": 17232 }, "event": { @@ -117,7 +117,7 @@ "netflow": { "delta_flow_count": 0, "destination_ipv4_address": "10.4.0.251", - "destination_mac_address": "44:d9:e7:be:ef:89", + "destination_mac_address": "44-D9-E7-BE-EF-89", "destination_transport_port": 17232, "egress_interface": 0, "exporter": { @@ -138,7 +138,7 @@ "packet_delta_count": 1, "protocol_identifier": 17, "source_ipv4_address": "10.1.0.136", - "source_mac_address": "06:be:ef:be:ef:4f", + "source_mac_address": "06-BE-EF-BE-EF-4F", "source_transport_port": 53, "tcp_control_bits": 0, "type": "netflow_flow", @@ -165,7 +165,7 @@ "bytes": 87, "ip": "10.1.0.136", "locality": "internal", - "mac": "06:be:ef:be:ef:4f", + "mac": "06-BE-EF-BE-EF-4F", "packets": 1, "port": 53 } @@ -180,7 +180,7 @@ "destination": { "ip": "10.4.0.251", "locality": "internal", - "mac": "44:d9:e7:be:ef:89", + "mac": "44-D9-E7-BE-EF-89", "port": 51369 }, "event": { @@ -203,7 +203,7 @@ "netflow": { "delta_flow_count": 0, "destination_ipv4_address": "10.4.0.251", - "destination_mac_address": "44:d9:e7:be:ef:89", + "destination_mac_address": "44-D9-E7-BE-EF-89", "destination_transport_port": 51369, "egress_interface": 0, "exporter": { @@ -224,7 +224,7 @@ "packet_delta_count": 15, "protocol_identifier": 6, "source_ipv4_address": "10.1.0.232", - "source_mac_address": "06:be:ef:be:ef:4f", + "source_mac_address": "06-BE-EF-BE-EF-4F", "source_transport_port": 443, "tcp_control_bits": 27, "type": "netflow_flow", @@ -251,7 +251,7 @@ "bytes": 1920, "ip": "10.1.0.232", "locality": "internal", - "mac": "06:be:ef:be:ef:4f", + "mac": "06-BE-EF-BE-EF-4F", "packets": 15, "port": 443 } @@ -266,7 +266,7 @@ "destination": { "ip": "10.4.0.251", "locality": "internal", - "mac": "44:d9:e7:be:ef:89", + "mac": "44-D9-E7-BE-EF-89", "port": 51370 }, "event": { @@ -289,7 +289,7 @@ "netflow": { "delta_flow_count": 0, "destination_ipv4_address": "10.4.0.251", - "destination_mac_address": "44:d9:e7:be:ef:89", + "destination_mac_address": "44-D9-E7-BE-EF-89", "destination_transport_port": 51370, "egress_interface": 0, "exporter": { @@ -310,7 +310,7 @@ "packet_delta_count": 8, "protocol_identifier": 6, "source_ipv4_address": "10.1.0.232", - "source_mac_address": "06:be:ef:be:ef:4f", + "source_mac_address": "06-BE-EF-BE-EF-4F", "source_transport_port": 443, "tcp_control_bits": 27, "type": "netflow_flow", @@ -337,7 +337,7 @@ "bytes": 610, "ip": "10.1.0.232", "locality": "internal", - "mac": "06:be:ef:be:ef:4f", + "mac": "06-BE-EF-BE-EF-4F", "packets": 8, "port": 443 } @@ -352,7 +352,7 @@ "destination": { "ip": "10.4.0.251", "locality": "internal", - "mac": "44:d9:e7:be:ef:89", + "mac": "44-D9-E7-BE-EF-89", "port": 44006 }, "event": { @@ -375,7 +375,7 @@ "netflow": { "delta_flow_count": 0, "destination_ipv4_address": "10.4.0.251", - "destination_mac_address": "44:d9:e7:be:ef:89", + "destination_mac_address": "44-D9-E7-BE-EF-89", "destination_transport_port": 44006, "egress_interface": 0, "exporter": { @@ -396,7 +396,7 @@ "packet_delta_count": 21, "protocol_identifier": 6, "source_ipv4_address": "10.5.0.91", - "source_mac_address": "06:be:ef:be:ef:4f", + "source_mac_address": "06-BE-EF-BE-EF-4F", "source_transport_port": 443, "tcp_control_bits": 31, "type": "netflow_flow", @@ -423,7 +423,7 @@ "bytes": 2420, "ip": "10.5.0.91", "locality": "internal", - "mac": "06:be:ef:be:ef:4f", + "mac": "06-BE-EF-BE-EF-4F", "packets": 21, "port": 443 } @@ -438,7 +438,7 @@ "destination": { "ip": "10.4.0.251", "locality": "internal", - "mac": "44:d9:e7:be:ef:89", + "mac": "44-D9-E7-BE-EF-89", "port": 33282 }, "event": { @@ -461,7 +461,7 @@ "netflow": { "delta_flow_count": 0, "destination_ipv4_address": "10.4.0.251", - "destination_mac_address": "44:d9:e7:be:ef:89", + "destination_mac_address": "44-D9-E7-BE-EF-89", "destination_transport_port": 33282, "egress_interface": 0, "exporter": { @@ -482,7 +482,7 @@ "packet_delta_count": 30, "protocol_identifier": 6, "source_ipv4_address": "10.1.0.30", - "source_mac_address": "06:be:ef:be:ef:4f", + "source_mac_address": "06-BE-EF-BE-EF-4F", "source_transport_port": 443, "tcp_control_bits": 31, "type": "netflow_flow", @@ -509,7 +509,7 @@ "bytes": 10204, "ip": "10.1.0.30", "locality": "internal", - "mac": "06:be:ef:be:ef:4f", + "mac": "06-BE-EF-BE-EF-4F", "packets": 30, "port": 443 } @@ -524,7 +524,7 @@ "destination": { "ip": "10.4.0.251", "locality": "internal", - "mac": "44:d9:e7:be:ef:89", + "mac": "44-D9-E7-BE-EF-89", "port": 64642 }, "event": { @@ -547,7 +547,7 @@ "netflow": { "delta_flow_count": 0, "destination_ipv4_address": "10.4.0.251", - "destination_mac_address": "44:d9:e7:be:ef:89", + "destination_mac_address": "44-D9-E7-BE-EF-89", "destination_transport_port": 64642, "egress_interface": 0, "exporter": { @@ -568,7 +568,7 @@ "packet_delta_count": 4, "protocol_identifier": 6, "source_ipv4_address": "10.3.0.100", - "source_mac_address": "06:be:ef:be:ef:4f", + "source_mac_address": "06-BE-EF-BE-EF-4F", "source_transport_port": 443, "tcp_control_bits": 27, "type": "netflow_flow", @@ -595,7 +595,7 @@ "bytes": 216, "ip": "10.3.0.100", "locality": "internal", - "mac": "06:be:ef:be:ef:4f", + "mac": "06-BE-EF-BE-EF-4F", "packets": 4, "port": 443 } @@ -610,7 +610,7 @@ "destination": { "ip": "10.4.0.251", "locality": "internal", - "mac": "44:d9:e7:be:ef:89", + "mac": "44-D9-E7-BE-EF-89", "port": 9497 }, "event": { @@ -633,7 +633,7 @@ "netflow": { "delta_flow_count": 0, "destination_ipv4_address": "10.4.0.251", - "destination_mac_address": "44:d9:e7:be:ef:89", + "destination_mac_address": "44-D9-E7-BE-EF-89", "destination_transport_port": 9497, "egress_interface": 0, "exporter": { @@ -654,7 +654,7 @@ "packet_delta_count": 1, "protocol_identifier": 17, "source_ipv4_address": "10.1.0.135", - "source_mac_address": "06:be:ef:be:ef:4f", + "source_mac_address": "06-BE-EF-BE-EF-4F", "source_transport_port": 53, "tcp_control_bits": 0, "type": "netflow_flow", @@ -681,7 +681,7 @@ "bytes": 152, "ip": "10.1.0.135", "locality": "internal", - "mac": "06:be:ef:be:ef:4f", + "mac": "06-BE-EF-BE-EF-4F", "packets": 1, "port": 53 } @@ -736,8 +736,8 @@ "mpls_label_stack_length": 4, "octet_delta_count": 260, "packet_delta_count": 5, - "post_destination_mac_address": "44:d9:e7:be:ef:8e", - "post_source_mac_address": "44:d9:e7:be:ef:22", + "post_destination_mac_address": "44-D9-E7-BE-EF-8E", + "post_source_mac_address": "44-D9-E7-BE-EF-22", "post_vlan_id": 0, "protocol_identifier": 6, "source_ipv4_address": "192.168.1.98", @@ -820,8 +820,8 @@ "mpls_label_stack_length": 4, "octet_delta_count": 32, "packet_delta_count": 1, - "post_destination_mac_address": "00:00:00:00:00:00", - "post_source_mac_address": "00:00:00:00:00:00", + "post_destination_mac_address": "00-00-00-00-00-00", + "post_source_mac_address": "00-00-00-00-00-00", "post_vlan_id": 0, "protocol_identifier": 17, "source_ipv4_address": "10.4.0.251", @@ -904,8 +904,8 @@ "mpls_label_stack_length": 4, "octet_delta_count": 135, "packet_delta_count": 1, - "post_destination_mac_address": "00:00:00:00:00:00", - "post_source_mac_address": "00:00:00:00:00:00", + "post_destination_mac_address": "00-00-00-00-00-00", + "post_source_mac_address": "00-00-00-00-00-00", "post_vlan_id": 0, "protocol_identifier": 17, "source_ipv4_address": "10.4.0.251", @@ -988,8 +988,8 @@ "mpls_label_stack_length": 4, "octet_delta_count": 135, "packet_delta_count": 1, - "post_destination_mac_address": "00:00:00:00:00:00", - "post_source_mac_address": "00:00:00:00:00:00", + "post_destination_mac_address": "00-00-00-00-00-00", + "post_source_mac_address": "00-00-00-00-00-00", "post_vlan_id": 0, "protocol_identifier": 17, "source_ipv4_address": "10.4.0.251", @@ -1072,8 +1072,8 @@ "mpls_label_stack_length": 4, "octet_delta_count": 135, "packet_delta_count": 1, - "post_destination_mac_address": "00:00:00:00:00:00", - "post_source_mac_address": "00:00:00:00:00:00", + "post_destination_mac_address": "00-00-00-00-00-00", + "post_source_mac_address": "00-00-00-00-00-00", "post_vlan_id": 0, "protocol_identifier": 17, "source_ipv4_address": "10.4.0.251", @@ -1156,8 +1156,8 @@ "mpls_label_stack_length": 4, "octet_delta_count": 135, "packet_delta_count": 1, - "post_destination_mac_address": "00:00:00:00:00:00", - "post_source_mac_address": "00:00:00:00:00:00", + "post_destination_mac_address": "00-00-00-00-00-00", + "post_source_mac_address": "00-00-00-00-00-00", "post_vlan_id": 0, "protocol_identifier": 17, "source_ipv4_address": "10.4.0.251", @@ -1240,8 +1240,8 @@ "mpls_label_stack_length": 4, "octet_delta_count": 135, "packet_delta_count": 1, - "post_destination_mac_address": "00:00:00:00:00:00", - "post_source_mac_address": "00:00:00:00:00:00", + "post_destination_mac_address": "00-00-00-00-00-00", + "post_source_mac_address": "00-00-00-00-00-00", "post_vlan_id": 0, "protocol_identifier": 17, "source_ipv4_address": "10.4.0.251", @@ -1324,8 +1324,8 @@ "mpls_label_stack_length": 4, "octet_delta_count": 3668, "packet_delta_count": 21, - "post_destination_mac_address": "44:d9:e7:be:ef:8e", - "post_source_mac_address": "06:be:ef:be:ef:b9", + "post_destination_mac_address": "44-D9-E7-BE-EF-8E", + "post_source_mac_address": "06-BE-EF-BE-EF-B9", "post_vlan_id": 0, "protocol_identifier": 6, "source_ipv4_address": "192.168.1.102", diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-ipt_netflow-reduced-size-encoding.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-ipt_netflow-reduced-size-encoding.golden.json index 80d1b0e09c7..1f4315415b2 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-ipt_netflow-reduced-size-encoding.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-ipt_netflow-reduced-size-encoding.golden.json @@ -8,7 +8,7 @@ "destination": { "ip": "193.151.198.166", "locality": "external", - "mac": "00:1b:21:bc:24:dd", + "mac": "00-1B-21-BC-24-DD", "port": 36025 }, "event": { @@ -30,7 +30,7 @@ }, "netflow": { "destination_ipv4_address": "193.151.198.166", - "destination_mac_address": "00:1b:21:bc:24:dd", + "destination_mac_address": "00-1B-21-BC-24-DD", "destination_transport_port": 36025, "egress_interface": 7, "egress_physical_interface": 7, @@ -52,7 +52,7 @@ "packet_delta_count": 3, "protocol_identifier": 6, "source_ipv4_address": "37.122.1.226", - "source_mac_address": "90:e2:ba:23:09:fc", + "source_mac_address": "90-E2-BA-23-09-FC", "source_transport_port": 27622, "tcp_control_bits": 2, "tcp_options": 4026531840, @@ -79,7 +79,7 @@ "bytes": 156, "ip": "37.122.1.226", "locality": "external", - "mac": "90:e2:ba:23:09:fc", + "mac": "90-E2-BA-23-09-FC", "packets": 3, "port": 27622 } @@ -94,7 +94,7 @@ "destination": { "ip": "193.151.199.69", "locality": "external", - "mac": "00:1b:21:bc:24:dd", + "mac": "00-1B-21-BC-24-DD", "port": 29598 }, "event": { @@ -116,7 +116,7 @@ }, "netflow": { "destination_ipv4_address": "193.151.199.69", - "destination_mac_address": "00:1b:21:bc:24:dd", + "destination_mac_address": "00-1B-21-BC-24-DD", "destination_transport_port": 29598, "egress_interface": 7, "egress_physical_interface": 7, @@ -138,7 +138,7 @@ "packet_delta_count": 1, "protocol_identifier": 6, "source_ipv4_address": "5.141.231.166", - "source_mac_address": "90:e2:ba:23:09:fc", + "source_mac_address": "90-E2-BA-23-09-FC", "source_transport_port": 31178, "tcp_control_bits": 2, "tcp_options": 3489660928, @@ -165,7 +165,7 @@ "bytes": 48, "ip": "5.141.231.166", "locality": "external", - "mac": "90:e2:ba:23:09:fc", + "mac": "90-E2-BA-23-09-FC", "packets": 1, "port": 31178 } @@ -180,7 +180,7 @@ "destination": { "ip": "212.224.113.74", "locality": "external", - "mac": "00:1b:21:bc:24:dc", + "mac": "00-1B-21-BC-24-DC", "port": 443 }, "event": { @@ -202,7 +202,7 @@ }, "netflow": { "destination_ipv4_address": "212.224.113.74", - "destination_mac_address": "00:1b:21:bc:24:dc", + "destination_mac_address": "00-1B-21-BC-24-DC", "destination_transport_port": 443, "egress_interface": 7, "egress_physical_interface": 7, @@ -224,7 +224,7 @@ "packet_delta_count": 11, "protocol_identifier": 6, "source_ipv4_address": "10.233.128.4", - "source_mac_address": "00:04:96:97:b8:cd", + "source_mac_address": "00-04-96-97-B8-CD", "source_transport_port": 53688, "tcp_control_bits": 211, "tcp_options": 4043309057, @@ -251,7 +251,7 @@ "bytes": 584, "ip": "10.233.128.4", "locality": "internal", - "mac": "00:04:96:97:b8:cd", + "mac": "00-04-96-97-B8-CD", "packets": 11, "port": 53688 } @@ -266,7 +266,7 @@ "destination": { "ip": "10.236.8.4", "locality": "internal", - "mac": "00:1b:21:bc:24:dc", + "mac": "00-1B-21-BC-24-DC", "port": 51549 }, "event": { @@ -288,7 +288,7 @@ }, "netflow": { "destination_ipv4_address": "10.236.8.4", - "destination_mac_address": "00:1b:21:bc:24:dc", + "destination_mac_address": "00-1B-21-BC-24-DC", "destination_transport_port": 51549, "egress_interface": 8, "egress_physical_interface": 8, @@ -310,7 +310,7 @@ "packet_delta_count": 4, "protocol_identifier": 6, "source_ipv4_address": "193.151.192.46", - "source_mac_address": "00:1a:4a:16:01:81", + "source_mac_address": "00-1A-4A-16-01-81", "source_transport_port": 80, "tcp_control_bits": 27, "tcp_options": 4043309056, @@ -337,7 +337,7 @@ "bytes": 577, "ip": "193.151.192.46", "locality": "external", - "mac": "00:1a:4a:16:01:81", + "mac": "00-1A-4A-16-01-81", "packets": 4, "port": 80 } @@ -352,7 +352,7 @@ "destination": { "ip": "62.221.115.205", "locality": "external", - "mac": "00:1b:21:bc:24:dc", + "mac": "00-1B-21-BC-24-DC", "port": 1024 }, "event": { @@ -374,7 +374,7 @@ }, "netflow": { "destination_ipv4_address": "62.221.115.205", - "destination_mac_address": "00:1b:21:bc:24:dc", + "destination_mac_address": "00-1B-21-BC-24-DC", "destination_transport_port": 1024, "egress_interface": 7, "egress_physical_interface": 7, @@ -396,7 +396,7 @@ "packet_delta_count": 3, "protocol_identifier": 6, "source_ipv4_address": "10.235.197.6", - "source_mac_address": "00:04:96:97:b8:cd", + "source_mac_address": "00-04-96-97-B8-CD", "source_transport_port": 57505, "tcp_control_bits": 2, "tcp_options": 4026531840, @@ -423,7 +423,7 @@ "bytes": 152, "ip": "10.235.197.6", "locality": "internal", - "mac": "00:04:96:97:b8:cd", + "mac": "00-04-96-97-B8-CD", "packets": 3, "port": 57505 } @@ -438,7 +438,7 @@ "destination": { "ip": "37.146.125.64", "locality": "external", - "mac": "00:1b:21:bc:24:dc", + "mac": "00-1B-21-BC-24-DC", "port": 3237 }, "event": { @@ -460,7 +460,7 @@ }, "netflow": { "destination_ipv4_address": "37.146.125.64", - "destination_mac_address": "00:1b:21:bc:24:dc", + "destination_mac_address": "00-1B-21-BC-24-DC", "destination_transport_port": 3237, "egress_interface": 7, "egress_physical_interface": 7, @@ -482,7 +482,7 @@ "packet_delta_count": 3, "protocol_identifier": 6, "source_ipv4_address": "10.236.31.7", - "source_mac_address": "00:04:96:97:b8:cd", + "source_mac_address": "00-04-96-97-B8-CD", "source_transport_port": 61471, "tcp_control_bits": 2, "tcp_options": 4026531840, @@ -509,7 +509,7 @@ "bytes": 152, "ip": "10.236.31.7", "locality": "internal", - "mac": "00:04:96:97:b8:cd", + "mac": "00-04-96-97-B8-CD", "packets": 3, "port": 61471 } @@ -524,7 +524,7 @@ "destination": { "ip": "52.198.214.72", "locality": "external", - "mac": "00:1b:21:bc:24:dc", + "mac": "00-1B-21-BC-24-DC", "port": 443 }, "event": { @@ -546,7 +546,7 @@ }, "netflow": { "destination_ipv4_address": "52.198.214.72", - "destination_mac_address": "00:1b:21:bc:24:dc", + "destination_mac_address": "00-1B-21-BC-24-DC", "destination_transport_port": 443, "egress_interface": 7, "egress_physical_interface": 7, @@ -568,7 +568,7 @@ "packet_delta_count": 15, "protocol_identifier": 6, "source_ipv4_address": "10.233.151.8", - "source_mac_address": "00:04:96:97:b8:cd", + "source_mac_address": "00-04-96-97-B8-CD", "source_transport_port": 58044, "tcp_control_bits": 31, "tcp_options": 4177526784, @@ -595,7 +595,7 @@ "bytes": 1809, "ip": "10.233.151.8", "locality": "internal", - "mac": "00:04:96:97:b8:cd", + "mac": "00-04-96-97-B8-CD", "packets": 15, "port": 58044 } @@ -610,7 +610,7 @@ "destination": { "ip": "64.233.161.188", "locality": "external", - "mac": "00:1b:21:bc:24:dc", + "mac": "00-1B-21-BC-24-DC", "port": 5228 }, "event": { @@ -632,7 +632,7 @@ }, "netflow": { "destination_ipv4_address": "64.233.161.188", - "destination_mac_address": "00:1b:21:bc:24:dc", + "destination_mac_address": "00-1B-21-BC-24-DC", "destination_transport_port": 5228, "egress_interface": 7, "egress_physical_interface": 7, @@ -654,7 +654,7 @@ "packet_delta_count": 3, "protocol_identifier": 6, "source_ipv4_address": "10.234.22.4", - "source_mac_address": "00:04:96:97:b8:cd", + "source_mac_address": "00-04-96-97-B8-CD", "source_transport_port": 60583, "tcp_control_bits": 24, "tcp_options": 2164260864, @@ -681,7 +681,7 @@ "bytes": 234, "ip": "10.234.22.4", "locality": "internal", - "mac": "00:04:96:97:b8:cd", + "mac": "00-04-96-97-B8-CD", "packets": 3, "port": 60583 } @@ -696,7 +696,7 @@ "destination": { "ip": "185.209.20.240", "locality": "external", - "mac": "00:1b:21:bc:24:dc", + "mac": "00-1B-21-BC-24-DC", "port": 80 }, "event": { @@ -718,7 +718,7 @@ }, "netflow": { "destination_ipv4_address": "185.209.20.240", - "destination_mac_address": "00:1b:21:bc:24:dc", + "destination_mac_address": "00-1B-21-BC-24-DC", "destination_transport_port": 80, "egress_interface": 7, "egress_physical_interface": 7, @@ -740,7 +740,7 @@ "packet_delta_count": 22, "protocol_identifier": 6, "source_ipv4_address": "10.233.36.7", - "source_mac_address": "00:04:96:97:b8:cd", + "source_mac_address": "00-04-96-97-B8-CD", "source_transport_port": 51399, "tcp_control_bits": 27, "tcp_options": 4043309056, @@ -767,7 +767,7 @@ "bytes": 1681, "ip": "10.233.36.7", "locality": "internal", - "mac": "00:04:96:97:b8:cd", + "mac": "00-04-96-97-B8-CD", "packets": 22, "port": 51399 } @@ -782,7 +782,7 @@ "destination": { "ip": "84.39.245.175", "locality": "external", - "mac": "00:1b:21:bc:24:dc", + "mac": "00-1B-21-BC-24-DC", "port": 18580 }, "event": { @@ -804,7 +804,7 @@ }, "netflow": { "destination_ipv4_address": "84.39.245.175", - "destination_mac_address": "00:1b:21:bc:24:dc", + "destination_mac_address": "00-1B-21-BC-24-DC", "destination_transport_port": 18580, "egress_interface": 7, "egress_physical_interface": 7, @@ -826,7 +826,7 @@ "packet_delta_count": 3, "protocol_identifier": 6, "source_ipv4_address": "10.233.200.7", - "source_mac_address": "00:04:96:97:b8:cd", + "source_mac_address": "00-04-96-97-B8-CD", "source_transport_port": 61820, "tcp_control_bits": 2, "tcp_options": 4026531840, @@ -853,7 +853,7 @@ "bytes": 152, "ip": "10.233.200.7", "locality": "internal", - "mac": "00:04:96:97:b8:cd", + "mac": "00-04-96-97-B8-CD", "packets": 3, "port": 61820 } @@ -868,7 +868,7 @@ "destination": { "ip": "10.232.8.45", "locality": "internal", - "mac": "00:1b:21:bc:24:dd", + "mac": "00-1B-21-BC-24-DD", "port": 56257 }, "event": { @@ -890,7 +890,7 @@ }, "netflow": { "destination_ipv4_address": "10.232.8.45", - "destination_mac_address": "00:1b:21:bc:24:dd", + "destination_mac_address": "00-1B-21-BC-24-DD", "destination_transport_port": 56257, "egress_interface": 8, "egress_physical_interface": 8, @@ -912,7 +912,7 @@ "packet_delta_count": 3, "protocol_identifier": 6, "source_ipv4_address": "23.43.139.27", - "source_mac_address": "90:e2:ba:23:09:fc", + "source_mac_address": "90-E2-BA-23-09-FC", "source_transport_port": 80, "tcp_control_bits": 26, "tcp_options": 4026531840, @@ -939,7 +939,7 @@ "bytes": 1866, "ip": "23.43.139.27", "locality": "external", - "mac": "90:e2:ba:23:09:fc", + "mac": "90-E2-BA-23-09-FC", "packets": 3, "port": 80 } @@ -954,7 +954,7 @@ "destination": { "ip": "10.233.150.21", "locality": "internal", - "mac": "00:1b:21:bc:24:dd", + "mac": "00-1B-21-BC-24-DD", "port": 38164 }, "event": { @@ -976,7 +976,7 @@ }, "netflow": { "destination_ipv4_address": "10.233.150.21", - "destination_mac_address": "00:1b:21:bc:24:dd", + "destination_mac_address": "00-1B-21-BC-24-DD", "destination_transport_port": 38164, "egress_interface": 8, "egress_physical_interface": 8, @@ -998,7 +998,7 @@ "packet_delta_count": 3, "protocol_identifier": 6, "source_ipv4_address": "2.17.140.47", - "source_mac_address": "90:e2:ba:23:09:fc", + "source_mac_address": "90-E2-BA-23-09-FC", "source_transport_port": 443, "tcp_control_bits": 25, "tcp_options": 2164260864, @@ -1025,7 +1025,7 @@ "bytes": 187, "ip": "2.17.140.47", "locality": "external", - "mac": "90:e2:ba:23:09:fc", + "mac": "90-E2-BA-23-09-FC", "packets": 3, "port": 443 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-macaddress.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-macaddress.golden.json index e2aee36c229..6135a7e669e 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-macaddress.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-macaddress.golden.json @@ -43,7 +43,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 22 }, "event": { @@ -62,7 +62,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 22, "exporter": { "address": "192.0.2.1:4444", @@ -73,7 +73,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.1", - "source_mac_address": "00:50:56:c0:00:01", + "source_mac_address": "00-50-56-C0-00-01", "source_transport_port": 65058, "type": "netflow_flow" }, @@ -95,7 +95,7 @@ "source": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 65058 } }, @@ -109,7 +109,7 @@ "destination": { "ip": "172.16.32.100", "locality": "internal", - "mac": "00:0c:29:8d:af:c3", + "mac": "00-0C-29-8D-AF-C3", "port": 123 }, "event": { @@ -128,7 +128,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.100", - "destination_mac_address": "00:0c:29:8d:af:c3", + "destination_mac_address": "00-0C-29-8D-AF-C3", "destination_transport_port": 123, "exporter": { "address": "192.0.2.1:4444", @@ -139,7 +139,7 @@ }, "protocol_identifier": 17, "source_ipv4_address": "172.16.32.201", - "source_mac_address": "00:0c:29:70:86:09", + "source_mac_address": "00-0C-29-70-86-09", "source_transport_port": 123, "type": "netflow_flow" }, @@ -161,7 +161,7 @@ "source": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 123 } }, @@ -175,7 +175,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 123 }, "event": { @@ -194,7 +194,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 123, "exporter": { "address": "192.0.2.1:4444", @@ -205,7 +205,7 @@ }, "protocol_identifier": 17, "source_ipv4_address": "172.16.32.100", - "source_mac_address": "00:0c:29:8d:af:c3", + "source_mac_address": "00-0C-29-8D-AF-C3", "source_transport_port": 123, "type": "netflow_flow" }, @@ -227,7 +227,7 @@ "source": { "ip": "172.16.32.100", "locality": "internal", - "mac": "00:0c:29:8d:af:c3", + "mac": "00-0C-29-8D-AF-C3", "port": 123 } }, @@ -241,7 +241,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 80 }, "event": { @@ -260,7 +260,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 80, "exporter": { "address": "192.0.2.1:4444", @@ -271,7 +271,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.1", - "source_mac_address": "00:50:56:c0:00:01", + "source_mac_address": "00-50-56-C0-00-01", "source_transport_port": 59157, "type": "netflow_flow" }, @@ -293,7 +293,7 @@ "source": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59157 } }, @@ -307,7 +307,7 @@ "destination": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59157 }, "event": { @@ -326,7 +326,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.1", - "destination_mac_address": "00:50:56:c0:00:01", + "destination_mac_address": "00-50-56-C0-00-01", "destination_transport_port": 59157, "exporter": { "address": "192.0.2.1:4444", @@ -337,7 +337,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.201", - "source_mac_address": "00:0c:29:70:86:09", + "source_mac_address": "00-0C-29-70-86-09", "source_transport_port": 80, "type": "netflow_flow" }, @@ -359,7 +359,7 @@ "source": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 80 } }, @@ -373,7 +373,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 443 }, "event": { @@ -392,7 +392,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 443, "exporter": { "address": "192.0.2.1:4444", @@ -403,7 +403,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.1", - "source_mac_address": "00:50:56:c0:00:01", + "source_mac_address": "00-50-56-C0-00-01", "source_transport_port": 59158, "type": "netflow_flow" }, @@ -425,7 +425,7 @@ "source": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59158 } }, @@ -439,7 +439,7 @@ "destination": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59158 }, "event": { @@ -458,7 +458,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.1", - "destination_mac_address": "00:50:56:c0:00:01", + "destination_mac_address": "00-50-56-C0-00-01", "destination_transport_port": 59158, "exporter": { "address": "192.0.2.1:4444", @@ -469,7 +469,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.201", - "source_mac_address": "00:0c:29:70:86:09", + "source_mac_address": "00-0C-29-70-86-09", "source_transport_port": 443, "type": "netflow_flow" }, @@ -491,7 +491,7 @@ "source": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 443 } }, @@ -505,7 +505,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 139 }, "event": { @@ -524,7 +524,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 139, "exporter": { "address": "192.0.2.1:4444", @@ -535,7 +535,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.1", - "source_mac_address": "00:50:56:c0:00:01", + "source_mac_address": "00-50-56-C0-00-01", "source_transport_port": 59159, "type": "netflow_flow" }, @@ -557,7 +557,7 @@ "source": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59159 } }, @@ -571,7 +571,7 @@ "destination": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59159 }, "event": { @@ -590,7 +590,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.1", - "destination_mac_address": "00:50:56:c0:00:01", + "destination_mac_address": "00-50-56-C0-00-01", "destination_transport_port": 59159, "exporter": { "address": "192.0.2.1:4444", @@ -601,7 +601,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.201", - "source_mac_address": "00:0c:29:70:86:09", + "source_mac_address": "00-0C-29-70-86-09", "source_transport_port": 139, "type": "netflow_flow" }, @@ -623,7 +623,7 @@ "source": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 139 } }, @@ -637,7 +637,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 23 }, "event": { @@ -656,7 +656,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 23, "exporter": { "address": "192.0.2.1:4444", @@ -667,7 +667,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.1", - "source_mac_address": "00:50:56:c0:00:01", + "source_mac_address": "00-50-56-C0-00-01", "source_transport_port": 59160, "type": "netflow_flow" }, @@ -689,7 +689,7 @@ "source": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59160 } }, @@ -703,7 +703,7 @@ "destination": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59160 }, "event": { @@ -722,7 +722,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.1", - "destination_mac_address": "00:50:56:c0:00:01", + "destination_mac_address": "00-50-56-C0-00-01", "destination_transport_port": 59160, "exporter": { "address": "192.0.2.1:4444", @@ -733,7 +733,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.201", - "source_mac_address": "00:0c:29:70:86:09", + "source_mac_address": "00-0C-29-70-86-09", "source_transport_port": 23, "type": "netflow_flow" }, @@ -755,7 +755,7 @@ "source": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 23 } }, @@ -769,7 +769,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 995 }, "event": { @@ -788,7 +788,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 995, "exporter": { "address": "192.0.2.1:4444", @@ -799,7 +799,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.1", - "source_mac_address": "00:50:56:c0:00:01", + "source_mac_address": "00-50-56-C0-00-01", "source_transport_port": 59161, "type": "netflow_flow" }, @@ -821,7 +821,7 @@ "source": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59161 } }, @@ -835,7 +835,7 @@ "destination": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59161 }, "event": { @@ -854,7 +854,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.1", - "destination_mac_address": "00:50:56:c0:00:01", + "destination_mac_address": "00-50-56-C0-00-01", "destination_transport_port": 59161, "exporter": { "address": "192.0.2.1:4444", @@ -865,7 +865,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.201", - "source_mac_address": "00:0c:29:70:86:09", + "source_mac_address": "00-0C-29-70-86-09", "source_transport_port": 995, "type": "netflow_flow" }, @@ -887,7 +887,7 @@ "source": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 995 } }, @@ -901,7 +901,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 443 }, "event": { @@ -920,7 +920,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 443, "exporter": { "address": "192.0.2.1:4444", @@ -931,7 +931,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.1", - "source_mac_address": "00:50:56:c0:00:01", + "source_mac_address": "00-50-56-C0-00-01", "source_transport_port": 59162, "type": "netflow_flow" }, @@ -953,7 +953,7 @@ "source": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59162 } }, @@ -967,7 +967,7 @@ "destination": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59162 }, "event": { @@ -986,7 +986,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.1", - "destination_mac_address": "00:50:56:c0:00:01", + "destination_mac_address": "00-50-56-C0-00-01", "destination_transport_port": 59162, "exporter": { "address": "192.0.2.1:4444", @@ -997,7 +997,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.201", - "source_mac_address": "00:0c:29:70:86:09", + "source_mac_address": "00-0C-29-70-86-09", "source_transport_port": 443, "type": "netflow_flow" }, @@ -1019,7 +1019,7 @@ "source": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 443 } }, @@ -1033,7 +1033,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 135 }, "event": { @@ -1052,7 +1052,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 135, "exporter": { "address": "192.0.2.1:4444", @@ -1063,7 +1063,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.1", - "source_mac_address": "00:50:56:c0:00:01", + "source_mac_address": "00-50-56-C0-00-01", "source_transport_port": 59163, "type": "netflow_flow" }, @@ -1085,7 +1085,7 @@ "source": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59163 } }, @@ -1099,7 +1099,7 @@ "destination": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59163 }, "event": { @@ -1118,7 +1118,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.1", - "destination_mac_address": "00:50:56:c0:00:01", + "destination_mac_address": "00-50-56-C0-00-01", "destination_transport_port": 59163, "exporter": { "address": "192.0.2.1:4444", @@ -1129,7 +1129,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.201", - "source_mac_address": "00:0c:29:70:86:09", + "source_mac_address": "00-0C-29-70-86-09", "source_transport_port": 135, "type": "netflow_flow" }, @@ -1151,7 +1151,7 @@ "source": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 135 } }, @@ -1165,7 +1165,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 110 }, "event": { @@ -1184,7 +1184,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 110, "exporter": { "address": "192.0.2.1:4444", @@ -1195,7 +1195,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.1", - "source_mac_address": "00:50:56:c0:00:01", + "source_mac_address": "00-50-56-C0-00-01", "source_transport_port": 59164, "type": "netflow_flow" }, @@ -1217,7 +1217,7 @@ "source": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59164 } }, @@ -1231,7 +1231,7 @@ "destination": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59164 }, "event": { @@ -1250,7 +1250,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.1", - "destination_mac_address": "00:50:56:c0:00:01", + "destination_mac_address": "00-50-56-C0-00-01", "destination_transport_port": 59164, "exporter": { "address": "192.0.2.1:4444", @@ -1261,7 +1261,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.201", - "source_mac_address": "00:0c:29:70:86:09", + "source_mac_address": "00-0C-29-70-86-09", "source_transport_port": 110, "type": "netflow_flow" }, @@ -1283,7 +1283,7 @@ "source": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 110 } }, @@ -1297,7 +1297,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 111 }, "event": { @@ -1316,7 +1316,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 111, "exporter": { "address": "192.0.2.1:4444", @@ -1327,7 +1327,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.1", - "source_mac_address": "00:50:56:c0:00:01", + "source_mac_address": "00-50-56-C0-00-01", "source_transport_port": 59165, "type": "netflow_flow" }, @@ -1349,7 +1349,7 @@ "source": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59165 } }, @@ -1363,7 +1363,7 @@ "destination": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59165 }, "event": { @@ -1382,7 +1382,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.1", - "destination_mac_address": "00:50:56:c0:00:01", + "destination_mac_address": "00-50-56-C0-00-01", "destination_transport_port": 59165, "exporter": { "address": "192.0.2.1:4444", @@ -1393,7 +1393,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.201", - "source_mac_address": "00:0c:29:70:86:09", + "source_mac_address": "00-0C-29-70-86-09", "source_transport_port": 111, "type": "netflow_flow" }, @@ -1415,7 +1415,7 @@ "source": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 111 } }, @@ -1429,7 +1429,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 143 }, "event": { @@ -1448,7 +1448,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 143, "exporter": { "address": "192.0.2.1:4444", @@ -1459,7 +1459,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.1", - "source_mac_address": "00:50:56:c0:00:01", + "source_mac_address": "00-50-56-C0-00-01", "source_transport_port": 59166, "type": "netflow_flow" }, @@ -1481,7 +1481,7 @@ "source": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59166 } }, @@ -1495,7 +1495,7 @@ "destination": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59166 }, "event": { @@ -1514,7 +1514,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.1", - "destination_mac_address": "00:50:56:c0:00:01", + "destination_mac_address": "00-50-56-C0-00-01", "destination_transport_port": 59166, "exporter": { "address": "192.0.2.1:4444", @@ -1525,7 +1525,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.201", - "source_mac_address": "00:0c:29:70:86:09", + "source_mac_address": "00-0C-29-70-86-09", "source_transport_port": 143, "type": "netflow_flow" }, @@ -1547,7 +1547,7 @@ "source": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 143 } }, @@ -1561,7 +1561,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 3389 }, "event": { @@ -1580,7 +1580,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 3389, "exporter": { "address": "192.0.2.1:4444", @@ -1591,7 +1591,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.1", - "source_mac_address": "00:50:56:c0:00:01", + "source_mac_address": "00-50-56-C0-00-01", "source_transport_port": 59167, "type": "netflow_flow" }, @@ -1613,7 +1613,7 @@ "source": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59167 } }, @@ -1627,7 +1627,7 @@ "destination": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59167 }, "event": { @@ -1646,7 +1646,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.1", - "destination_mac_address": "00:50:56:c0:00:01", + "destination_mac_address": "00-50-56-C0-00-01", "destination_transport_port": 59167, "exporter": { "address": "192.0.2.1:4444", @@ -1657,7 +1657,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.201", - "source_mac_address": "00:0c:29:70:86:09", + "source_mac_address": "00-0C-29-70-86-09", "source_transport_port": 3389, "type": "netflow_flow" }, @@ -1679,7 +1679,7 @@ "source": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 3389 } }, @@ -1693,7 +1693,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 80 }, "event": { @@ -1712,7 +1712,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 80, "exporter": { "address": "192.0.2.1:4444", @@ -1723,7 +1723,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.1", - "source_mac_address": "00:50:56:c0:00:01", + "source_mac_address": "00-50-56-C0-00-01", "source_transport_port": 59168, "type": "netflow_flow" }, @@ -1745,7 +1745,7 @@ "source": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59168 } }, @@ -1759,7 +1759,7 @@ "destination": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59168 }, "event": { @@ -1778,7 +1778,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.1", - "destination_mac_address": "00:50:56:c0:00:01", + "destination_mac_address": "00-50-56-C0-00-01", "destination_transport_port": 59168, "exporter": { "address": "192.0.2.1:4444", @@ -1789,7 +1789,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.201", - "source_mac_address": "00:0c:29:70:86:09", + "source_mac_address": "00-0C-29-70-86-09", "source_transport_port": 80, "type": "netflow_flow" }, @@ -1811,7 +1811,7 @@ "source": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 80 } }, @@ -1825,7 +1825,7 @@ "destination": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 25 }, "event": { @@ -1844,7 +1844,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.201", - "destination_mac_address": "00:0c:29:70:86:09", + "destination_mac_address": "00-0C-29-70-86-09", "destination_transport_port": 25, "exporter": { "address": "192.0.2.1:4444", @@ -1855,7 +1855,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.1", - "source_mac_address": "00:50:56:c0:00:01", + "source_mac_address": "00-50-56-C0-00-01", "source_transport_port": 59169, "type": "netflow_flow" }, @@ -1877,7 +1877,7 @@ "source": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59169 } }, @@ -1891,7 +1891,7 @@ "destination": { "ip": "172.16.32.1", "locality": "internal", - "mac": "00:50:56:c0:00:01", + "mac": "00-50-56-C0-00-01", "port": 59169 }, "event": { @@ -1910,7 +1910,7 @@ }, "netflow": { "destination_ipv4_address": "172.16.32.1", - "destination_mac_address": "00:50:56:c0:00:01", + "destination_mac_address": "00-50-56-C0-00-01", "destination_transport_port": 59169, "exporter": { "address": "192.0.2.1:4444", @@ -1921,7 +1921,7 @@ }, "protocol_identifier": 6, "source_ipv4_address": "172.16.32.201", - "source_mac_address": "00:0c:29:70:86:09", + "source_mac_address": "00-0C-29-70-86-09", "source_transport_port": 25, "type": "netflow_flow" }, @@ -1943,7 +1943,7 @@ "source": { "ip": "172.16.32.201", "locality": "internal", - "mac": "00:0c:29:70:86:09", + "mac": "00-0C-29-70-86-09", "port": 25 } }, diff --git a/x-pack/filebeat/input/netflow/testdata/golden/netflow9_ubiquiti_edgerouter.pcap.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/netflow9_ubiquiti_edgerouter.pcap.golden.json index 39779cda488..f3e6e23ff7b 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/netflow9_ubiquiti_edgerouter.pcap.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/netflow9_ubiquiti_edgerouter.pcap.golden.json @@ -48,8 +48,8 @@ "mpls_label_stack_length": 2, "octet_delta_count": 421, "packet_delta_count": 6, - "post_destination_mac_address": "04:18:d6:f0:81:b5", - "post_source_mac_address": "00:11:bb:7f:20:42", + "post_destination_mac_address": "04-18-D6-F0-81-B5", + "post_source_mac_address": "00-11-BB-7F-20-42", "post_vlan_id": 0, "protocol_identifier": 6, "source_ipv4_address": "10.100.5.2", @@ -132,8 +132,8 @@ "mpls_label_stack_length": 2, "octet_delta_count": 7621, "packet_delta_count": 131, - "post_destination_mac_address": "04:18:d6:f0:81:b5", - "post_source_mac_address": "00:11:bb:7f:20:42", + "post_destination_mac_address": "04-18-D6-F0-81-B5", + "post_source_mac_address": "00-11-BB-7F-20-42", "post_vlan_id": 0, "protocol_identifier": 6, "source_ipv4_address": "10.100.6.93", @@ -216,8 +216,8 @@ "mpls_label_stack_length": 3, "octet_delta_count": 95, "packet_delta_count": 1, - "post_destination_mac_address": "00:00:00:00:00:00", - "post_source_mac_address": "00:00:00:00:00:00", + "post_destination_mac_address": "00-00-00-00-00-00", + "post_source_mac_address": "00-00-00-00-00-00", "post_vlan_id": 0, "protocol_identifier": 17, "source_ipv4_address": "10.100.4.1", @@ -300,8 +300,8 @@ "mpls_label_stack_length": 2, "octet_delta_count": 3162, "packet_delta_count": 30, - "post_destination_mac_address": "04:18:d6:f0:81:b5", - "post_source_mac_address": "00:11:bb:7f:20:42", + "post_destination_mac_address": "04-18-D6-F0-81-B5", + "post_source_mac_address": "00-11-BB-7F-20-42", "post_vlan_id": 0, "protocol_identifier": 6, "source_ipv4_address": "10.100.6.93", @@ -384,8 +384,8 @@ "mpls_label_stack_length": 2, "octet_delta_count": 2711, "packet_delta_count": 13, - "post_destination_mac_address": "04:18:d6:f0:81:b5", - "post_source_mac_address": "00:11:bb:7f:20:42", + "post_destination_mac_address": "04-18-D6-F0-81-B5", + "post_source_mac_address": "00-11-BB-7F-20-42", "post_vlan_id": 0, "protocol_identifier": 6, "source_ipv4_address": "10.100.6.80", @@ -468,8 +468,8 @@ "mpls_label_stack_length": 2, "octet_delta_count": 20855, "packet_delta_count": 346, - "post_destination_mac_address": "04:18:d6:f0:81:b5", - "post_source_mac_address": "00:11:bb:7f:20:42", + "post_destination_mac_address": "04-18-D6-F0-81-B5", + "post_source_mac_address": "00-11-BB-7F-20-42", "post_vlan_id": 0, "protocol_identifier": 6, "source_ipv4_address": "10.100.6.93", @@ -552,8 +552,8 @@ "mpls_label_stack_length": 2, "octet_delta_count": 7495, "packet_delta_count": 129, - "post_destination_mac_address": "04:18:d6:f0:81:b5", - "post_source_mac_address": "00:11:bb:7f:20:42", + "post_destination_mac_address": "04-18-D6-F0-81-B5", + "post_source_mac_address": "00-11-BB-7F-20-42", "post_vlan_id": 0, "protocol_identifier": 6, "source_ipv4_address": "10.100.6.93", @@ -636,8 +636,8 @@ "mpls_label_stack_length": 2, "octet_delta_count": 7049, "packet_delta_count": 119, - "post_destination_mac_address": "04:18:d6:f0:81:b5", - "post_source_mac_address": "00:11:bb:7f:20:42", + "post_destination_mac_address": "04-18-D6-F0-81-B5", + "post_source_mac_address": "00-11-BB-7F-20-42", "post_vlan_id": 0, "protocol_identifier": 6, "source_ipv4_address": "10.100.6.93", @@ -720,8 +720,8 @@ "mpls_label_stack_length": 2, "octet_delta_count": 1348, "packet_delta_count": 13, - "post_destination_mac_address": "04:18:d6:f0:81:b5", - "post_source_mac_address": "00:11:bb:7f:20:42", + "post_destination_mac_address": "04-18-D6-F0-81-B5", + "post_source_mac_address": "00-11-BB-7F-20-42", "post_vlan_id": 0, "protocol_identifier": 6, "source_ipv4_address": "10.100.6.93", @@ -804,8 +804,8 @@ "mpls_label_stack_length": 2, "octet_delta_count": 82, "packet_delta_count": 1, - "post_destination_mac_address": "00:00:00:00:00:00", - "post_source_mac_address": "00:00:00:00:00:00", + "post_destination_mac_address": "00-00-00-00-00-00", + "post_source_mac_address": "00-00-00-00-00-00", "post_vlan_id": 0, "protocol_identifier": 17, "source_ipv4_address": "192.168.1.4", diff --git a/x-pack/filebeat/processors/decode_cef/decode_cef.go b/x-pack/filebeat/processors/decode_cef/decode_cef.go index 67b6634712a..8e859740080 100644 --- a/x-pack/filebeat/processors/decode_cef/decode_cef.go +++ b/x-pack/filebeat/processors/decode_cef/decode_cef.go @@ -6,10 +6,10 @@ package decode_cef import ( "encoding/json" + "fmt" "strconv" "strings" - "github.com/pkg/errors" "go.uber.org/multierr" "github.com/elastic/beats/v7/libbeat/beat" @@ -38,7 +38,7 @@ type processor struct { func New(cfg *conf.C) (processors.Processor, error) { c := defaultConfig() if err := cfg.Unpack(&c); err != nil { - return nil, errors.Wrap(err, "fail to unpack the "+procName+" processor configuration") + return nil, fmt.Errorf("fail to unpack the "+procName+" processor configuration: %w", err) } return newDecodeCEF(c) @@ -64,7 +64,7 @@ func (p *processor) Run(event *beat.Event) (*beat.Event, error) { if p.IgnoreMissing { return event, nil } - return event, errors.Wrapf(err, "decode_cef field [%v] not found", p.Field) + return event, fmt.Errorf("decode_cef field [%v] not found: %w", p.Field, err) } cefData, ok := v.(string) @@ -72,7 +72,7 @@ func (p *processor) Run(event *beat.Event) (*beat.Event, error) { if p.IgnoreFailure { return event, nil } - return event, errors.Wrapf(err, "decode_cef field [%v] is not a string", p.Field) + return event, fmt.Errorf("decode_cef field [%v] is not a string: %T", p.Field, v) } // Ignore any leading data before the CEF header. @@ -81,7 +81,7 @@ func (p *processor) Run(event *beat.Event) (*beat.Event, error) { if p.IgnoreFailure { return event, nil } - return event, errors.Errorf("decode_cef field [%v] does not contain a CEF header", p.Field) + return event, fmt.Errorf("decode_cef field [%v] does not contain a CEF header", p.Field) } cefData = cefData[idx:] @@ -91,12 +91,15 @@ func (p *processor) Run(event *beat.Event) (*beat.Event, error) { if p.IgnoreFailure { return event, nil } - return event, errors.Wrap(err, "decode_cef failed to parse message") + if err != nil { + err = fmt.Errorf("decode_cef failed to parse message: %w", err) + } + return event, err } cefErrors := multierr.Errors(err) cefObject := toCEFObject(&ce) - event.PutValue(p.TargetField, cefObject) + _, _ = event.PutValue(p.TargetField, cefObject) // Map CEF extension fields to ECS fields. if p.ECS { @@ -112,16 +115,16 @@ func (p *processor) Run(event *beat.Event) (*beat.Event, error) { if mapping.Translate != nil { translatedValue, err := mapping.Translate(field) if err != nil { - cefErrors = append(cefErrors, errors.Wrap(err, key)) + cefErrors = append(cefErrors, fmt.Errorf("%s: %w", key, err)) continue } if translatedValue != nil { - event.PutValue(mapping.Target, translatedValue) + _, _ = event.PutValue(mapping.Target, translatedValue) } } else if field.Interface != nil { - event.PutValue(mapping.Target, field.Interface) + _, _ = event.PutValue(mapping.Target, field.Interface) } else { - event.PutValue(mapping.Target, field.String) + _, _ = event.PutValue(mapping.Target, field.String) } } } @@ -137,6 +140,7 @@ func (p *processor) Run(event *beat.Event) (*beat.Event, error) { return event, nil } +//nolint:errcheck // All errors are from mapstr puts. func toCEFObject(cefEvent *cef.Event) mapstr.M { // Add CEF header fields. cefObject := mapstr.M{"version": strconv.Itoa(cefEvent.Version)} @@ -175,6 +179,7 @@ func toCEFObject(cefEvent *cef.Event) mapstr.M { return cefObject } +//nolint:errcheck // All errors are from mapstr puts. func writeCEFHeaderToECS(cefEvent *cef.Event, event *beat.Event) { if cefEvent.DeviceVendor != "" { event.PutValue("observer.vendor", cefEvent.DeviceVendor) @@ -199,6 +204,7 @@ func writeCEFHeaderToECS(cefEvent *cef.Event, event *beat.Event) { } } +//nolint:errcheck // All errors are from mapstr puts. func appendErrorMessage(m mapstr.M, msg string) error { const field = "error.message" list, _ := m.GetValue(field) @@ -227,7 +233,7 @@ func appendErrorMessage(m mapstr.M, msg string) error { } m.Put(field, append(v, msg)) default: - return errors.Errorf("unexpected type %T found for %v field", list, field) + return fmt.Errorf("unexpected type %T found for %v field", list, field) } return nil } diff --git a/x-pack/filebeat/processors/decode_cef/keys.ecs.go b/x-pack/filebeat/processors/decode_cef/keys.ecs.go index e8056a1ac32..a9fc28159f7 100644 --- a/x-pack/filebeat/processors/decode_cef/keys.ecs.go +++ b/x-pack/filebeat/processors/decode_cef/keys.ecs.go @@ -5,38 +5,51 @@ package decode_cef import ( + "errors" "strings" - "github.com/pkg/errors" - "github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef/cef" ) type mappedField struct { - Target string + // Target is the ECS target field for the mapped field. + Target string + + // Translate is the mapping function required to translate + // the CEF field data into an ECS-conformant format. + // If Translate is nil, no translation is done. + // Translate should not mutate the input and should + // return an error if the input data cannot be correctly + // mapped to ECS-formatted data for the target field. Translate func(in *cef.Field) (interface{}, error) } var ecsExtensionMapping = map[string]mappedField{ - "agentAddress": {Target: "agent.ip"}, - "agentDnsDomain": {Target: "agent.name"}, - "agentHostName": {Target: "agent.name"}, - "agentId": {Target: "agent.id"}, - "agentMacAddress": {Target: "agent.mac"}, - "agentReceiptTime": {Target: "event.created"}, - "agentType": {Target: "agent.type"}, - "agentVersion": {Target: "agent.version"}, - "applicationProtocol": {Target: "network.application"}, - "bytesIn": {Target: "source.bytes"}, - "bytesOut": {Target: "destination.bytes"}, - "customerExternalID": {Target: "organization.id"}, - "customerURI": {Target: "organization.name"}, - "destinationAddress": {Target: "destination.ip"}, - "destinationDnsDomain": {Target: "destination.domain"}, - "destinationGeoLatitude": {Target: "destination.geo.location.lat"}, - "destinationGeoLongitude": {Target: "destination.geo.location.lon"}, - "destinationHostName": {Target: "destination.domain"}, - "destinationMacAddress": {Target: "destination.mac"}, + "agentAddress": {Target: "agent.ip"}, + "agentDnsDomain": {Target: "agent.name"}, + "agentHostName": {Target: "agent.name"}, + "agentId": {Target: "agent.id"}, + "agentMacAddress": { + Target: "agent.mac", + Translate: ecsMAC, + }, + "agentReceiptTime": {Target: "event.created"}, + "agentType": {Target: "agent.type"}, + "agentVersion": {Target: "agent.version"}, + "applicationProtocol": {Target: "network.application"}, + "bytesIn": {Target: "source.bytes"}, + "bytesOut": {Target: "destination.bytes"}, + "customerExternalID": {Target: "organization.id"}, + "customerURI": {Target: "organization.name"}, + "destinationAddress": {Target: "destination.ip"}, + "destinationDnsDomain": {Target: "destination.domain"}, + "destinationGeoLatitude": {Target: "destination.geo.location.lat"}, + "destinationGeoLongitude": {Target: "destination.geo.location.lon"}, + "destinationHostName": {Target: "destination.domain"}, + "destinationMacAddress": { + Target: "destination.mac", + Translate: ecsMAC, + }, "destinationPort": {Target: "destination.port"}, "destinationProcessId": {Target: "destination.process.pid"}, "destinationProcessName": {Target: "destination.process.name"}, @@ -57,13 +70,16 @@ var ecsExtensionMapping = map[string]mappedField{ case "1": return "outbound", nil default: - return nil, errors.Errorf("deviceDirection must be 0 or 1") + return nil, errors.New("deviceDirection must be 0 or 1") } }, }, - "deviceDnsDomain": {Target: "observer.hostname"}, - "deviceHostName": {Target: "observer.hostname"}, - "deviceMacAddress": {Target: "observer.mac"}, + "deviceDnsDomain": {Target: "observer.hostname"}, + "deviceHostName": {Target: "observer.hostname"}, + "deviceMacAddress": { + Target: "observer.mac", + Translate: ecsMAC, + }, "devicePayloadId": {Target: "event.id"}, "deviceProcessId": {Target: "process.pid"}, "deviceProcessName": {Target: "process.name"}, @@ -92,14 +108,17 @@ var ecsExtensionMapping = map[string]mappedField{ return nil, nil }, }, - "requestMethod": {Target: "http.request.method"}, - "requestUrl": {Target: "url.original"}, - "sourceAddress": {Target: "source.ip"}, - "sourceDnsDomain": {Target: "source.domain"}, - "sourceGeoLatitude": {Target: "source.geo.location.lat"}, - "sourceGeoLongitude": {Target: "source.geo.location.lon"}, - "sourceHostName": {Target: "source.domain"}, - "sourceMacAddress": {Target: "source.mac"}, + "requestMethod": {Target: "http.request.method"}, + "requestUrl": {Target: "url.original"}, + "sourceAddress": {Target: "source.ip"}, + "sourceDnsDomain": {Target: "source.domain"}, + "sourceGeoLatitude": {Target: "source.geo.location.lat"}, + "sourceGeoLongitude": {Target: "source.geo.location.lon"}, + "sourceHostName": {Target: "source.domain"}, + "sourceMacAddress": { + Target: "source.mac", + Translate: ecsMAC, + }, "sourcePort": {Target: "source.port"}, "sourceProcessId": {Target: "source.process.pid"}, "sourceProcessName": {Target: "source.process.name"}, @@ -118,3 +137,7 @@ var ecsExtensionMapping = map[string]mappedField{ }, "type": {Target: "event.kind"}, } + +func ecsMAC(in *cef.Field) (interface{}, error) { + return strings.ToUpper(strings.ReplaceAll(in.String, ":", "-")), nil +} diff --git a/x-pack/filebeat/processors/decode_cef/testdata/samples.log.golden.json b/x-pack/filebeat/processors/decode_cef/testdata/samples.log.golden.json index 3f1a1c38398..b7895363aec 100644 --- a/x-pack/filebeat/processors/decode_cef/testdata/samples.log.golden.json +++ b/x-pack/filebeat/processors/decode_cef/testdata/samples.log.golden.json @@ -220,7 +220,7 @@ "destination": { "bytes": 1019, "ip": "72.14.204.147", - "mac": "00:50:56:f5:7f:47", + "mac": "00-50-56-F5-7F-47", "port": 80 }, "error": { @@ -243,7 +243,7 @@ }, "source": { "ip": "192.168.126.150", - "mac": "00:0c:29:eb:35:de", + "mac": "00-0C-29-EB-35-DE", "port": 49617 } }, @@ -332,7 +332,7 @@ "destination": { "bytes": 1093, "ip": "72.14.204.105", - "mac": "00:50:56:f5:7f:47", + "mac": "00-50-56-F5-7F-47", "port": 80 }, "event": { @@ -353,7 +353,7 @@ }, "source": { "ip": "192.168.126.150", - "mac": "00:0c:29:eb:35:de", + "mac": "00-0C-29-EB-35-DE", "port": 49786 } }, @@ -800,7 +800,7 @@ "agent": { "id": "4SNQXV30BABCAIi+-ZH3gxT==", "ip": "10.2.3.4", - "mac": "00:50:56:8e:c0:90", + "mac": "00-50-56-8E-C0-90", "name": "centos7.as", "type": "syslog", "version": "7.6.0.8009.0"