Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Add Zeek NTP Fileset #24224

Merged
merged 5 commits into from
Mar 17, 2021
Merged

[Filebeat] Add Zeek NTP Fileset #24224

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
87045f9
Add Zeek NTP Fileset
legoguy1000 Feb 25, 2021
d0e0e31
update PR number
legoguy1000 Feb 25, 2021
bafd309
update files
legoguy1000 Mar 2, 2021
f779915
fixed typos
legoguy1000 Mar 3, 2021
abed2c7
Update docs and changelog
andrewkroh Mar 17, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -882,7 +882,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Upgrade okta to ecs 1.8.0 and move js processor to ingest pipeline {issue}23118[23118] {pull}23929[23929]
- Update zoom module to ECS 1.8. {pull}23904[23904] {issue}23118[23118]
- Support X-Forwarder-For in IIS logs. {pull}19142[192142]

- Added NTP fileset to Zeek module {pull}24224[24224]

*Heartbeat*

Expand Down
137 changes: 137 additions & 0 deletions filebeat/docs/fields.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159340,6 +159340,143 @@ type: keyword

--

[float]
=== ntp

Fields exported by the Zeek NTP log.



*`zeek.ntp.version`*::
+
--
The NTP version number (1, 2, 3, 4).


type: integer

--

*`zeek.ntp.mode`*::
+
--
The NTP mode being used.


type: integer

--

*`zeek.ntp.stratum`*::
+
--
The stratum (primary server, secondary server, etc.).


type: integer

--

*`zeek.ntp.poll`*::
+
--
The maximum interval between successive messages in seconds.


type: double

--

*`zeek.ntp.precision`*::
+
--
The precision of the system clock in seconds.


type: double

--

*`zeek.ntp.root_delay`*::
+
--
Total round-trip delay to the reference clock in seconds.


type: double

--

*`zeek.ntp.root_disp`*::
+
--
Total dispersion to the reference clock in seconds.


type: double

--

*`zeek.ntp.ref_id`*::
+
--
For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).


type: keyword

--

*`zeek.ntp.ref_time`*::
+
--
Time when the system clock was last set or correct.


type: date

--

*`zeek.ntp.org_time`*::
+
--
Time at the client when the request departed for the NTP server.


type: date

--

*`zeek.ntp.rec_time`*::
+
--
Time at the server when the request arrived from the NTP client.


type: date

--

*`zeek.ntp.xmt_time`*::
+
--
Time at the server when the response departed for the NTP client.


type: date

--

*`zeek.ntp.num_exts`*::
+
--
Number of extension fields (which are not currently parsed).


type: integer

--

[float]
=== ocsp

Expand Down
2 changes: 2 additions & 0 deletions x-pack/filebeat/filebeat.reference.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2157,6 +2157,8 @@ filebeat.modules:
enabled: true
notice:
enabled: true
ntp:
enabled: true
ntlm:
enabled: true
ocsp:
Expand Down
2 changes: 2 additions & 0 deletions x-pack/filebeat/module/zeek/_meta/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@
enabled: true
notice:
enabled: true
ntp:
enabled: true
ntlm:
enabled: true
ocsp:
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/zeek/fields.go
View file
Open in desktop

Large diffs are not rendered by default.

63 changes: 63 additions & 0 deletions x-pack/filebeat/module/zeek/ntp/_meta/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
- name: ntp
type: group
default_field: false
description: >
Fields exported by the Zeek NTP log.
fields:
- name: version
type: integer
description: >
The NTP version number (1, 2, 3, 4).
- name: mode
type: integer
description: >
The NTP mode being used.
- name: stratum
type: integer
description: >
The stratum (primary server, secondary server, etc.).
- name: poll
type: double
description: >
The maximum interval between successive messages in seconds.
- name: precision
type: double
description: >
The precision of the system clock in seconds.
- name: root_delay
type: double
description: >
Total round-trip delay to the reference clock in seconds.
- name: root_disp
type: double
description: >
Total dispersion to the reference clock in seconds.
- name: ref_id
type: keyword
description: >
For stratum 0, 4 character string used for debugging.
For stratum 1, ID assigned to the reference clock by IANA.
Above stratum 1, when using IPv4, the IP address of the reference clock.
Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses,
so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address
(i.e. an IPv4 address here is not necessarily IPv4).
- name: ref_time
type: date
description: >
Time when the system clock was last set or correct.
- name: org_time
type: date
description: >
Time at the client when the request departed for the NTP server.
- name: rec_time
type: date
description: >
Time at the server when the request arrived from the NTP client.
- name: xmt_time
type: date
description: >
Time at the server when the response departed for the NTP client.
- name: num_exts
type: integer
description: >
Number of extension fields (which are not currently parsed).
57 changes: 57 additions & 0 deletions x-pack/filebeat/module/zeek/ntp/config/ntp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
type: log
paths:
{{ range $i, $path := .paths }}
- {{$path}}
{{ end }}
exclude_files: [".gz$"]
tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}

processors:
- rename:
fields:
- {from: message, to: event.original}
- decode_json_fields:
fields: [event.original]
target: zeek.ntp
- convert:
ignore_missing: true
fields:
- {from: zeek.ntp.id.orig_h, to: source.address}
- {from: zeek.ntp.id.orig_h, to: source.ip, type: ip}
- {from: zeek.ntp.id.orig_p, to: source.port, type: long}
- {from: zeek.ntp.id.resp_h, to: destination.address}
- {from: zeek.ntp.id.resp_h, to: destination.ip, type: ip}
- {from: zeek.ntp.id.resp_p, to: destination.port, type: long}
- rename:
ignore_missing: true
fields:
- from: zeek.ntp.uid
to: zeek.session_id
- drop_fields:
ignore_missing: true
fields:
- zeek.ntp.id.orig_h
- zeek.ntp.id.orig_p
- zeek.ntp.id.resp_h
- zeek.ntp.id.resp_p
- add_fields:
target: event
fields:
kind: event
category:
- network
type:
- connection
- protocol
- info
- add_fields:
target: network
fields:
protocol: ntp
transport: udp
- community_id:
- add_fields:
target: ''
fields:
ecs.version: 1.8.0
Loading