diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 88c4ddcea99..31cba771a2f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -107,6 +107,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add dashboard for AWS ELB fileset. {pull}15804[15804] - Add dashboard for AWS vpcflow fileset. {pull}16007[16007] - Add ECS tls fields to zeek:smtp,rdp,ssl and aws:s3access,elb {issue}15757[15757] {pull}15935[15936] +- Add custom string mapping to CEF module to support Forcepoint NGFW {issue}14663[14663] {pull}15910[15910] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 98dc6ff13e3..701eded16af 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -4655,9 +4655,27 @@ type: keyword [[exported-fields-cef-module]] == CEF fields -Module for receiving CEF logs over Syslog. The module does not add fields beyond what the decode_cef processor provides. +Module for receiving CEF logs over Syslog. The module adds vendor specific fields in addition to the fields the decode_cef processor provides. + +[float] +=== forcepoint + +Fields for Forcepoint Custom String mappings + + + +*`forcepoint.virus_id`*:: ++ +-- +Virus ID + + +type: keyword + +-- + [[exported-fields-cisco]] == Cisco fields diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc index 8d77f147853..97c0469daa5 100644 --- a/filebeat/docs/modules/cef.asciidoc +++ b/filebeat/docs/modules/cef.asciidoc @@ -40,6 +40,19 @@ The UDP port to listen for syslog traffic. Defaults to `9003` NOTE: Ports below 1024 require Filebeat to run as root. +[float] +==== Forcepoint NGFW Security Management Center + +This module will process CEF data from Forcepoint NGFW Security +Management Center (SMC). In the SMC configure the logs to be +forwarded to the address set in `var.syslog_host` in format CEF and +service UDP on `var.syslog_port`. Instructions can be found in +https://support.forcepoint.com/KBArticle?id=000015002[KB 15002] for +configuring the SMC. Testing was done with CEF logs from SMC version +6.6.1 and custom string mappings were taken from 'CEF Connector +Configuration Guide' dated December 5, 2011. + + :has-dashboards!: :fileset_ex!: @@ -47,6 +60,7 @@ NOTE: Ports below 1024 require Filebeat to run as root. :modulename!: + [float] === Fields diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc index 89b63cc88bd..19b2f5eb1b3 100644 --- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc @@ -35,8 +35,22 @@ The UDP port to listen for syslog traffic. Defaults to `9003` NOTE: Ports below 1024 require Filebeat to run as root. +[float] +==== Forcepoint NGFW Security Management Center + +This module will process CEF data from Forcepoint NGFW Security +Management Center (SMC). In the SMC configure the logs to be +forwarded to the address set in `var.syslog_host` in format CEF and +service UDP on `var.syslog_port`. Instructions can be found in +https://support.forcepoint.com/KBArticle?id=000015002[KB 15002] for +configuring the SMC. Testing was done with CEF logs from SMC version +6.6.1 and custom string mappings were taken from 'CEF Connector +Configuration Guide' dated December 5, 2011. + + :has-dashboards!: :fileset_ex!: :modulename!: + diff --git a/x-pack/filebeat/module/cef/_meta/fields.yml b/x-pack/filebeat/module/cef/_meta/fields.yml index 6cd823e6bb8..1ea96f71d81 100644 --- a/x-pack/filebeat/module/cef/_meta/fields.yml +++ b/x-pack/filebeat/module/cef/_meta/fields.yml @@ -1,6 +1,7 @@ - key: cef-module title: CEF description: > - Module for receiving CEF logs over Syslog. The module does not add fields - beyond what the decode_cef processor provides. + Module for receiving CEF logs over Syslog. The module adds vendor + specific fields in addition to the fields the decode_cef processor + provides. fields: diff --git a/x-pack/filebeat/module/cef/fields.go b/x-pack/filebeat/module/cef/fields.go index 194c5dbe918..19312fd7aca 100644 --- a/x-pack/filebeat/module/cef/fields.go +++ b/x-pack/filebeat/module/cef/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCef returns asset data. // This is the base64 encoded gzipped contents of module/cef. func AssetCef() string { - return "eJwszDEOwjAQRNHep5gLJAdwQYOgo4IeBe84sTDeyGuCcnuUQDfFn9fhydUjMHYvlXemA1pqmR7H09kBQgs1zS1p8Tg4ALjsIaJWVAamJZVxq5F1NOjCiutqWccet4n4uRCloWjDIIKYmMV27cFVi+AzDQ1tIoRBhffAiLlqoJnWbS1JaL3D/+vdNwAA//95Jj6g" + return "eJx8kMFq8zAQhO9+inmB5AF0+C/5a+ihp5RejZFWzhJZK7Syi9++yImDk0L3JHZGsx9zwJUWA0v+MIqbAjVA4RLI4PTWNoAjtZlTYYkG/xoA+FiN8JKRyRLPHIfqRpBBITNlnBcNMhzxeSHcctE7p5gpOslriiay7NnCMwWn4FgtXA+hCMqFNqU+HVlx1FnySFksqd5jUpaZHemxwd1v1n2dA2I/kqmklpJwLA8JKEsigyHLlHZbR76fQunWKAPfB6Un+Vcb27Q32NpK+7iH06RFRpxLriWNfUocB919fGXec8+cJ+3YPYkb+ZWWb8mv2h+Adb5qIt7/Nz8BAAD//0k3k/4=" } diff --git a/x-pack/filebeat/module/cef/log/_meta/fields.yml b/x-pack/filebeat/module/cef/log/_meta/fields.yml new file mode 100644 index 00000000000..0d24bf8458f --- /dev/null +++ b/x-pack/filebeat/module/cef/log/_meta/fields.yml @@ -0,0 +1,10 @@ +- name: forcepoint + type: group + default_field: false + description: > + Fields for Forcepoint Custom String mappings + fields: + - name: virus_id + type: keyword + description: > + Virus ID diff --git a/x-pack/filebeat/module/cef/log/ingest/fp-pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/fp-pipeline.yml new file mode 100644 index 00000000000..3fe032c00fb --- /dev/null +++ b/x-pack/filebeat/module/cef/log/ingest/fp-pipeline.yml @@ -0,0 +1,27 @@ +--- +description: Pipeline for Forcepoint CEF + +processors: + # cs1 is ruleID + - set: + field: rule.id + value: "{{cef.extensions.deviceCustomString1}}" + if: "ctx.cef?.extensions?.deviceCustomString1 != null" + + # cs2 is natRuleID + - set: + field: rule.id + value: "{{cef.extensions.deviceCustomString2}}" + if: "ctx.cef?.extensions?.deviceCustomString2 != null" + + # cs3 is VulnerabilityReference + - set: + field: vulnerability.reference + value: "{{cef.extensions.deviceCustomString3}}" + if: "ctx.cef?.extensions?.deviceCustomString3 != null" + + # cs4 is virusID + - set: + field: cef.forcepoint.virus_id + value: "{{cef.extensions.deviceCustomString4}}" + if: "ctx.cef?.extensions?.deviceCustomString4 != null" diff --git a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml index fd520132cca..2600dbeec08 100644 --- a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml @@ -45,7 +45,9 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true - + - pipeline: + name: '{< IngestPipeline "fp-pipeline" >}' + if: "ctx.cef?.device?.vendor == 'FORCEPOINT'" on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/cef/log/manifest.yml b/x-pack/filebeat/module/cef/log/manifest.yml index 049b963a4aa..670a3188a4e 100644 --- a/x-pack/filebeat/module/cef/log/manifest.yml +++ b/x-pack/filebeat/module/cef/log/manifest.yml @@ -13,7 +13,10 @@ var: - name: input default: syslog -ingest_pipeline: ingest/pipeline.yml +ingest_pipeline: + - ingest/pipeline.yml + - ingest/fp-pipeline.yml + input: config/input.yml requires.processors: diff --git a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log new file mode 100644 index 00000000000..a7ce1c7bbc6 --- /dev/null +++ b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log @@ -0,0 +1,13 @@ +CEF:0|FORCEPOINT|Firewall|6.6.1|0|Generic|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=log server connection established deviceFacility=Logging System rt=Jan 17 2020 08:52:10 +CEF:0|FORCEPOINT|Firewall|6.6.1|9005|FW_Communication-Communication-Error|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=Communication error: No route to host (-3, 5, 0) deviceFacility=Management rt=Jan 17 2020 08:52:09 +CEF:0|FORCEPOINT|Firewall|6.6.1|70018|Connection_Allowed|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 src=10.37.205.252 dst=10.1.1.40 proto=1 deviceOutboundInterface=255 act=Allow msg=Referred connection: 10.1.1.40 -> 10.37.133.35 frag\=0x4000 TCP 47413->3020 deviceFacility=Packet Filtering rt=Jan 17 2020 08:52:09 app=Dest. Unreachable (Host Unreachable) cs1Label=RuleID cs1=2097157.1 +CEF:0|FORCEPOINT|Firewall|unknown|70019|Connection_Discarded|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=172.16.1.1 dst=255.255.255.255 spt=68 dpt=67 proto=17 deviceOutboundInterface=255 deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:21 app=BOOTPS (UDP) cs1Label=RuleID cs1=605.0 +CEF:0|FORCEPOINT|Firewall|unknown|70020|Connection_Refused|0|deviceExternalId=Firewall-1 node 1 dvc=10.1.1.1 dvchost=10.1.1.1 src=172.16.1.1 dst=192.168.1.1 proto=1 deviceOutboundInterface=255 act=Refuse deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:23 app=Echo Request (No Code) cs1Label=RuleID cs1=601.0 +CEF:0|FORCEPOINT|Firewall|unknown|70021|Connection_Closed|0|deviceExternalId=Firewall-6 node 1 dvc=10.1.1.6 dvchost=10.1.1.6 proto=6 deviceOutboundInterface=255 destinationServiceName=YouTube suser=alice deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:20 app=TCP in=32526 out=27366 +CEF:0|FORCEPOINT|Firewall|unknown|72714|ECA_Metadata_login|0|deviceExternalId=Firewall-3 node 1 dvc=10.1.1.3 dvchost=10.1.1.3 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:33 +CEF:0|FORCEPOINT|Firewall|unknown|72715|ECA_Metadata_logout|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:31 +CEF:0|FORCEPOINT|Firewall|unknown|72716|ECA_Metadata_system_metadata_received|0|deviceExternalId=Firewall-8 node 1 dvc=10.1.1.8 dvchost=10.1.1.8 src=172.16.2.1 suser=alice deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:26 +CEF:0|FORCEPOINT|Firewall|6.6.1|78002|TLS connection state|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=TLS: Couldn't establish TLS connection (11, N/A) deviceFacility=Management rt=Jan 17 2020 08:52:09 + + + diff --git a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json new file mode 100644 index 00000000000..b421822914d --- /dev/null +++ b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json @@ -0,0 +1,398 @@ +[ + { + "cef.device.event_class_id": "0", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "6.6.1", + "cef.extensions.deviceAddress": "10.1.1.40", + "cef.extensions.deviceExternalId": "Master FW node 1", + "cef.extensions.deviceFacility": "Logging System", + "cef.extensions.deviceHostName": "10.1.1.40", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:52:10.000Z", + "cef.extensions.message": "log server connection established", + "cef.name": "Generic", + "cef.severity": "0", + "cef.version": "0", + "event.code": "0", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|6.6.1|0|Generic|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=log server connection established deviceFacility=Logging System rt=Jan 17 2020 08:52:10", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 0, + "message": "log server connection established", + "observer.hostname": "10.1.1.40", + "observer.ip": "10.1.1.40", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "6.6.1", + "service.type": "cef", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "9005", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "6.6.1", + "cef.extensions.deviceAddress": "10.1.1.40", + "cef.extensions.deviceExternalId": "Master FW node 1", + "cef.extensions.deviceFacility": "Management", + "cef.extensions.deviceHostName": "10.1.1.40", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:52:09.000Z", + "cef.extensions.message": "Communication error: No route to host (-3, 5, 0)", + "cef.name": "FW_Communication-Communication-Error", + "cef.severity": "0", + "cef.version": "0", + "event.code": "9005", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|6.6.1|9005|FW_Communication-Communication-Error|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=Communication error: No route to host (-3, 5, 0) deviceFacility=Management rt=Jan 17 2020 08:52:09", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 202, + "message": "Communication error: No route to host (-3, 5, 0)", + "observer.hostname": "10.1.1.40", + "observer.ip": "10.1.1.40", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "6.6.1", + "service.type": "cef", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "70018", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "6.6.1", + "cef.extensions.applicationProtocol": "Dest. Unreachable (Host Unreachable)", + "cef.extensions.destinationAddress": "10.1.1.40", + "cef.extensions.deviceAction": "Allow", + "cef.extensions.deviceAddress": "10.1.1.40", + "cef.extensions.deviceCustomString1": "2097157.1", + "cef.extensions.deviceCustomString1Label": "RuleID", + "cef.extensions.deviceExternalId": "Master FW node 1", + "cef.extensions.deviceFacility": "Packet Filtering", + "cef.extensions.deviceHostName": "10.1.1.40", + "cef.extensions.deviceOutboundInterface": "255", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:52:09.000Z", + "cef.extensions.message": "Referred connection: 10.1.1.40 -> 10.37.133.35 frag=0x4000 TCP 47413->3020", + "cef.extensions.sourceAddress": "10.37.205.252", + "cef.extensions.transportProtocol": "1", + "cef.name": "Connection_Allowed", + "cef.severity": "0", + "cef.version": "0", + "destination.ip": "10.1.1.40", + "event.action": "Allow", + "event.code": "70018", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|6.6.1|70018|Connection_Allowed|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 src=10.37.205.252 dst=10.1.1.40 proto=1 deviceOutboundInterface=255 act=Allow msg=Referred connection: 10.1.1.40 -> 10.37.133.35 frag\\=0x4000 TCP 47413->3020 deviceFacility=Packet Filtering rt=Jan 17 2020 08:52:09 app=Dest. Unreachable (Host Unreachable) cs1Label=RuleID cs1=2097157.1", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 447, + "message": "Referred connection: 10.1.1.40 -> 10.37.133.35 frag=0x4000 TCP 47413->3020", + "network.application": "Dest. Unreachable (Host Unreachable)", + "network.community_id": "1:jVNka6fvdh9Qms3nSigb93hGP6U=", + "network.transport": "1", + "observer.hostname": "10.1.1.40", + "observer.ip": "10.1.1.40", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "6.6.1", + "rule.id": "2097157.1", + "service.type": "cef", + "source.ip": "10.37.205.252", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "70019", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "unknown", + "cef.extensions.applicationProtocol": "BOOTPS (UDP)", + "cef.extensions.destinationAddress": "255.255.255.255", + "cef.extensions.destinationPort": 67, + "cef.extensions.deviceAddress": "10.1.1.10", + "cef.extensions.deviceCustomString1": "605.0", + "cef.extensions.deviceCustomString1Label": "RuleID", + "cef.extensions.deviceExternalId": "Firewall-10 node 1", + "cef.extensions.deviceFacility": "Packet Filtering", + "cef.extensions.deviceHostName": "10.1.1.10", + "cef.extensions.deviceOutboundInterface": "255", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:21.000Z", + "cef.extensions.sourceAddress": "172.16.1.1", + "cef.extensions.sourcePort": 68, + "cef.extensions.transportProtocol": "17", + "cef.name": "Connection_Discarded", + "cef.severity": "0", + "cef.version": "0", + "destination.ip": "255.255.255.255", + "destination.port": 67, + "event.code": "70019", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|70019|Connection_Discarded|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=172.16.1.1 dst=255.255.255.255 spt=68 dpt=67 proto=17 deviceOutboundInterface=255 deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:21 app=BOOTPS (UDP) cs1Label=RuleID cs1=605.0", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 857, + "message": "Connection_Discarded", + "network.application": "BOOTPS (UDP)", + "network.community_id": "1:gRGAPcxUiQY+cM2V/f6dU0AJnuI=", + "network.transport": "17", + "observer.hostname": "10.1.1.10", + "observer.ip": "10.1.1.10", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "unknown", + "rule.id": "605.0", + "service.type": "cef", + "source.ip": "172.16.1.1", + "source.port": 68, + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "70020", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "unknown", + "cef.extensions.applicationProtocol": "Echo Request (No Code)", + "cef.extensions.destinationAddress": "192.168.1.1", + "cef.extensions.deviceAction": "Refuse", + "cef.extensions.deviceAddress": "10.1.1.1", + "cef.extensions.deviceCustomString1": "601.0", + "cef.extensions.deviceCustomString1Label": "RuleID", + "cef.extensions.deviceExternalId": "Firewall-1 node 1", + "cef.extensions.deviceFacility": "Packet Filtering", + "cef.extensions.deviceHostName": "10.1.1.1", + "cef.extensions.deviceOutboundInterface": "255", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:23.000Z", + "cef.extensions.sourceAddress": "172.16.1.1", + "cef.extensions.transportProtocol": "1", + "cef.name": "Connection_Refused", + "cef.severity": "0", + "cef.version": "0", + "destination.ip": "192.168.1.1", + "event.action": "Refuse", + "event.code": "70020", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|70020|Connection_Refused|0|deviceExternalId=Firewall-1 node 1 dvc=10.1.1.1 dvchost=10.1.1.1 src=172.16.1.1 dst=192.168.1.1 proto=1 deviceOutboundInterface=255 act=Refuse deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:23 app=Echo Request (No Code) cs1Label=RuleID cs1=601.0", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 1173, + "message": "Connection_Refused", + "network.application": "Echo Request (No Code)", + "network.community_id": "1:rdTu3DxOTXebXEr+rcV80Pk9a1s=", + "network.transport": "1", + "observer.hostname": "10.1.1.1", + "observer.ip": "10.1.1.1", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "unknown", + "rule.id": "601.0", + "service.type": "cef", + "source.ip": "172.16.1.1", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "70021", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "unknown", + "cef.extensions.applicationProtocol": "TCP", + "cef.extensions.bytesIn": 32526, + "cef.extensions.bytesOut": 27366, + "cef.extensions.destinationServiceName": "YouTube", + "cef.extensions.deviceAddress": "10.1.1.6", + "cef.extensions.deviceExternalId": "Firewall-6 node 1", + "cef.extensions.deviceFacility": "Packet Filtering", + "cef.extensions.deviceHostName": "10.1.1.6", + "cef.extensions.deviceOutboundInterface": "255", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:20.000Z", + "cef.extensions.sourceUserName": "alice", + "cef.extensions.transportProtocol": "6", + "cef.name": "Connection_Closed", + "cef.severity": "0", + "cef.version": "0", + "destination.bytes": 27366, + "destination.service.name": "YouTube", + "event.code": "70021", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|70021|Connection_Closed|0|deviceExternalId=Firewall-6 node 1 dvc=10.1.1.6 dvchost=10.1.1.6 proto=6 deviceOutboundInterface=255 destinationServiceName=YouTube suser=alice deviceFacility=Packet Filtering rt=Jan 17 2020 08:56:20 app=TCP in=32526 out=27366", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 1486, + "message": "Connection_Closed", + "network.application": "TCP", + "network.transport": "6", + "observer.hostname": "10.1.1.6", + "observer.ip": "10.1.1.6", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "unknown", + "service.type": "cef", + "source.bytes": 32526, + "source.user.name": "alice", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "72714", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "unknown", + "cef.extensions.deviceAddress": "10.1.1.3", + "cef.extensions.deviceExternalId": "Firewall-3 node 1", + "cef.extensions.deviceFacility": "Endpoint Context Agent", + "cef.extensions.deviceHostName": "10.1.1.3", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:33.000Z", + "cef.extensions.sourceAddress": "192.168.1.1", + "cef.extensions.sourceUserName": "bob", + "cef.name": "ECA_Metadata_login", + "cef.severity": "0", + "cef.version": "0", + "event.code": "72714", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|72714|ECA_Metadata_login|0|deviceExternalId=Firewall-3 node 1 dvc=10.1.1.3 dvchost=10.1.1.3 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:33", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 1773, + "message": "ECA_Metadata_login", + "observer.hostname": "10.1.1.3", + "observer.ip": "10.1.1.3", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "unknown", + "service.type": "cef", + "source.ip": "192.168.1.1", + "source.user.name": "bob", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "72715", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "unknown", + "cef.extensions.deviceAddress": "10.1.1.10", + "cef.extensions.deviceExternalId": "Firewall-10 node 1", + "cef.extensions.deviceFacility": "Endpoint Context Agent", + "cef.extensions.deviceHostName": "10.1.1.10", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:31.000Z", + "cef.extensions.sourceAddress": "192.168.1.1", + "cef.extensions.sourceUserName": "bob", + "cef.name": "ECA_Metadata_logout", + "cef.severity": "0", + "cef.version": "0", + "event.code": "72715", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|72715|ECA_Metadata_logout|0|deviceExternalId=Firewall-10 node 1 dvc=10.1.1.10 dvchost=10.1.1.10 src=192.168.1.1 suser=bob deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:31", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 1987, + "message": "ECA_Metadata_logout", + "observer.hostname": "10.1.1.10", + "observer.ip": "10.1.1.10", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "unknown", + "service.type": "cef", + "source.ip": "192.168.1.1", + "source.user.name": "bob", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "72716", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "unknown", + "cef.extensions.deviceAddress": "10.1.1.8", + "cef.extensions.deviceExternalId": "Firewall-8 node 1", + "cef.extensions.deviceFacility": "Endpoint Context Agent", + "cef.extensions.deviceHostName": "10.1.1.8", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:56:26.000Z", + "cef.extensions.sourceAddress": "172.16.2.1", + "cef.extensions.sourceUserName": "alice", + "cef.name": "ECA_Metadata_system_metadata_received", + "cef.severity": "0", + "cef.version": "0", + "event.code": "72716", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|unknown|72716|ECA_Metadata_system_metadata_received|0|deviceExternalId=Firewall-8 node 1 dvc=10.1.1.8 dvchost=10.1.1.8 src=172.16.2.1 suser=alice deviceFacility=Endpoint Context Agent rt=Jan 17 2020 08:56:26", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 2205, + "message": "ECA_Metadata_system_metadata_received", + "observer.hostname": "10.1.1.8", + "observer.ip": "10.1.1.8", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "unknown", + "service.type": "cef", + "source.ip": "172.16.2.1", + "source.user.name": "alice", + "tags": [ + "cef" + ] + }, + { + "cef.device.event_class_id": "78002", + "cef.device.product": "Firewall", + "cef.device.vendor": "FORCEPOINT", + "cef.device.version": "6.6.1", + "cef.extensions.deviceAddress": "10.1.1.40", + "cef.extensions.deviceExternalId": "Master FW node 1", + "cef.extensions.deviceFacility": "Management", + "cef.extensions.deviceHostName": "10.1.1.40", + "cef.extensions.deviceReceiptTime": "2020-01-17T08:52:09.000Z", + "cef.extensions.message": "TLS: Couldn't establish TLS connection (11, N/A)", + "cef.name": "TLS connection state", + "cef.severity": "0", + "cef.version": "0", + "event.code": "78002", + "event.dataset": "cef.log", + "event.module": "cef", + "event.original": "CEF:0|FORCEPOINT|Firewall|6.6.1|78002|TLS connection state|0|deviceExternalId=Master FW node 1 dvc=10.1.1.40 dvchost=10.1.1.40 msg=TLS: Couldn't establish TLS connection (11, N/A) deviceFacility=Management rt=Jan 17 2020 08:52:09", + "event.severity": 0, + "fileset.name": "log", + "input.type": "log", + "log.offset": 2439, + "message": "TLS: Couldn't establish TLS connection (11, N/A)", + "observer.hostname": "10.1.1.40", + "observer.ip": "10.1.1.40", + "observer.product": "Firewall", + "observer.vendor": "FORCEPOINT", + "observer.version": "6.6.1", + "service.type": "cef", + "tags": [ + "cef" + ] + } +] \ No newline at end of file